[PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com

[Thomas Gummerer <t.gummerer@gmail.com>]

On 05/27, Jonathan Nieder wrote:
> Thomas Gummerer wrote:
> 
> > Add a mention of the security mailing list to the README.
> > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com",
> > 2018-03-08) already added it to the man page, but I suspect that for
> > many developers, such as myself, the README would be the first place
> > to go looking for it.
> >
> > Use the same wording as we already have on the git-scm.com website and
> > in the man page.
> >
> > Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
> > ---
> >  README.md | 3 +++
> >  1 file changed, 3 insertions(+)
> 
> Reviewed-by: Jonathan Nieder <jrnieder@gmail.com>

Thanks!

> > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com",
> > 2018-03-08) also mentions SubmittingPatches, but I think people are
> > much more likely to submit a report of a security issue first, rather
> > than sending a patch, for which I think the README is more useful.
> 
> I don't see a mention of SubmittingPatches in "git show 2caa7b8d27"
> output.  git help git tells me:
> 
> 	Report bugs to the Git mailing list <git@vger.kernel.org>
> 	where the development and maintenance is primarily done. You
> 	do not have to be subscribed to the list to send a message
> 	there.
> 
> 	Issues which are security relevant should be disclosed
> 	privately to the Git Security mailing list
> 	<git-security@googlegroups.com>.
> 
> Do you mean that the discussion around that change suggested updating
> SubmittingPatches too?  The "Sending your patches" section indeed
> mentions git@vger.kernel.org, so a mention of the security list would
> indeed be welcome there, even though typically the discussion has
> already started there before a patch is written.

Yeah sorry, that's what I meant.
https://public-inbox.org/git/20180308150820.22588-1-avarab@gmail.com/
is the reference I meant to put there.

How about something like the below?  This is tested with asciidoc
8.6.10 and asciidoctor 1.5.6.2.  I'm also happy to squash the two
patches into one if that's preferred.

--->8---

The previous commit added a note about the Git Security mailing list
to the README.  Add it to Documentation/SubmittingPatches as well, so
developers trying to submit a security relevant patch are pointed in
the right direction.

The wording is adjusted slightly compared to the git-scm.com website
and the README, as they are talking about issues, while
SubmittingPatches is talking about patches.

Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com>
---
 Documentation/SubmittingPatches | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches
index 945f8edb46..aeb7948d98 100644
--- a/Documentation/SubmittingPatches
+++ b/Documentation/SubmittingPatches
@@ -264,6 +264,11 @@ people who are involved in the area you are touching (the `git
 contacts` command in `contrib/contacts/` can help to
 identify them), to solicit comments and reviews.
 
+:1: footnote:[The Git Security mailing list: git-security@googlegroups.com]
+
+Patches which are security relevant should be submitted privately to
+the Git Security mailing list{1}.
+
 :1: footnote:[The current maintainer: gitster@pobox.com]
 :2: footnote:[The mailing list: git@vger.kernel.org]
 
-- 
2.17.0.921.gf22659ad46