mirror of
https://github.com/NixOS/nix
synced 2024-09-19 10:50:24 -04:00
address review comments
This commit is contained in:
parent
287e684522
commit
db2bf5b631
|
@ -63,6 +63,9 @@ Team meetings are generally open to anyone interested.
|
|||
We can make exceptions to discuss sensitive issues, such as security incidents or people matters.
|
||||
Contact any team member to get a calendar invite for reminders and updates.
|
||||
|
||||
> [!IMPORTANT]
|
||||
> [Handling security reports](./security-reports.md) always takes priority.
|
||||
|
||||
## Project board protocol
|
||||
|
||||
The team uses a [GitHub project board](https://github.com/orgs/NixOS/projects/19/views/1) for tracking its work.
|
||||
|
|
|
@ -201,13 +201,17 @@ release:
|
|||
|
||||
## Security releases
|
||||
|
||||
> See also the instructions for [handling security reports](./security-reports.md).
|
||||
|
||||
Once a security fix is ready for merging:
|
||||
|
||||
1. Summarize *all* past communication in the report.
|
||||
|
||||
1. Request a CVE in the [GitHub security advisory](https://github.com/NixOS/nix/security/advisories) for the security fix.
|
||||
|
||||
1. Notify all collaborators on the advisory with a timeline for the release.
|
||||
|
||||
1. Merge the fix.
|
||||
1. Merge the fix. Publish the advisory.
|
||||
|
||||
1. [Make point releases](#creating-point-releases) for all affected versions.
|
||||
|
||||
|
|
23
maintainers/security-reports.md
Normal file
23
maintainers/security-reports.md
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Handling security reports
|
||||
|
||||
Reports can be expected to be submitted following the [security policy](https://github.com/NixOS/nix/security/policy), but may reach maintainers on various other channels.
|
||||
|
||||
In case a vulnerability is reported:
|
||||
|
||||
1. [Create a GitHub security advisory](https://github.com/NixOS/nix/security/advisories/new)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Add the reporter as a collaborator so they get notified of all activities.
|
||||
|
||||
Note deadlines if applicable.
|
||||
|
||||
1. Establish a private communication channel (e.g. a Matrix room) with the reporter and all Nix maintainers.
|
||||
|
||||
1. Communicate with the reporter which team members are assigned and when they are available.
|
||||
|
||||
1. Prioritize fixing the security issue over ongoing work.
|
||||
|
||||
1. Keep everyone involved up to date on progress and the estimated timeline for releasing the fix.
|
||||
|
||||
> See also the instructions for [security releases](./release-process.md#security-releases).
|
||||
|
Loading…
Reference in a new issue