NixOS/nix
NixOS/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2024-09-19 10:50:24 -04:00
Code Activity

address review comments

Browse source
This commit is contained in:
Valentin Gagarin 2024-09-11 12:45:45 +02:00
parent 287e684522
commit db2bf5b631
3 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
maintainers/README.md
View file

@ -63,6 +63,9 @@ Team meetings are generally open to anyone interested.
We can make exceptions to discuss sensitive issues, such as security incidents or people matters.
Contact any team member to get a calendar invite for reminders and updates.
> [!IMPORTANT]
> [Handling security reports](./security-reports.md) always takes priority.
## Project board protocol
The team uses a [GitHub project board](https://github.com/orgs/NixOS/projects/19/views/1) for tracking its work.

6
maintainers/release-process.md
View file

@ -201,13 +201,17 @@ release:
## Security releases
> See also the instructions for [handling security reports](./security-reports.md).
Once a security fix is ready for merging:
1. Summarize *all* past communication in the report.
1. Request a CVE in the [GitHub security advisory](https://github.com/NixOS/nix/security/advisories) for the security fix.
1. Notify all collaborators on the advisory with a timeline for the release.
1. Merge the fix.
1. Merge the fix. Publish the advisory.
1. [Make point releases](#creating-point-releases) for all affected versions.

23
maintainers/security-reports.md Normal file
View file

@ -0,0 +1,23 @@
# Handling security reports
Reports can be expected to be submitted following the [security policy](https://github.com/NixOS/nix/security/policy), but may reach maintainers on various other channels.
In case a vulnerability is reported:
1. [Create a GitHub security advisory](https://github.com/NixOS/nix/security/advisories/new)
> [!IMPORTANT]
> Add the reporter as a collaborator so they get notified of all activities.
Note deadlines if applicable.
1. Establish a private communication channel (e.g. a Matrix room) with the reporter and all Nix maintainers.
1. Communicate with the reporter which team members are assigned and when they are available.
1. Prioritize fixing the security issue over ongoing work.
1. Keep everyone involved up to date on progress and the estimated timeline for releasing the fix.
> See also the instructions for [security releases](./release-process.md#security-releases).