* [PATCH] README: note git-security@googlegroups.com @ 2018-05-27 14:04 Thomas Gummerer 2018-05-27 15:34 ` Jonathan Nieder 2018-05-30 20:52 ` [PATCH v2 1/2] SubmittingPatches: replace numbered attributes with names Thomas Gummerer 0 siblings, 2 replies; 11+ messages in thread From: Thomas Gummerer @ 2018-05-27 14:04 UTC (permalink / raw) To: git; +Cc: Junio C Hamano, Ævar Arnfjörð Bjarmason, Thomas Gummerer Add a mention of the security mailing list to the README. 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", 2018-03-08) already added it to the man page, but I suspect that for many developers, such as myself, the README would be the first place to go looking for it. Use the same wording as we already have on the git-scm.com website and in the man page. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> --- 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", 2018-03-08) also mentions SubmittingPatches, but I think people are much more likely to submit a report of a security issue first, rather than sending a patch, for which I think the README is more useful. README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index f17af66a97..f920a42fad 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,9 @@ the body to majordomo@vger.kernel.org. The mailing list archives are available at <https://public-inbox.org/git/>, <http://marc.info/?l=git> and other archival sites. +Issues which are security relevant should be disclosed privately to +the Git Security mailing list <git-security@googlegroups.com>. + The maintainer frequently sends the "What's cooking" reports that list the current status of various development topics to the mailing list. The discussion following them give a good reference for -- 2.17.0.921.gf22659ad46 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] README: note git-security@googlegroups.com 2018-05-27 14:04 [PATCH] README: note git-security@googlegroups.com Thomas Gummerer @ 2018-05-27 15:34 ` Jonathan Nieder 2018-05-27 21:08 ` [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com Thomas Gummerer 2018-05-30 20:52 ` [PATCH v2 1/2] SubmittingPatches: replace numbered attributes with names Thomas Gummerer 1 sibling, 1 reply; 11+ messages in thread From: Jonathan Nieder @ 2018-05-27 15:34 UTC (permalink / raw) To: Thomas Gummerer Cc: git, Junio C Hamano, Ævar Arnfjörð Bjarmason Thomas Gummerer wrote: > Add a mention of the security mailing list to the README. > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", > 2018-03-08) already added it to the man page, but I suspect that for > many developers, such as myself, the README would be the first place > to go looking for it. > > Use the same wording as we already have on the git-scm.com website and > in the man page. > > Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> > --- > README.md | 3 +++ > 1 file changed, 3 insertions(+) Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", > 2018-03-08) also mentions SubmittingPatches, but I think people are > much more likely to submit a report of a security issue first, rather > than sending a patch, for which I think the README is more useful. I don't see a mention of SubmittingPatches in "git show 2caa7b8d27" output. git help git tells me: Report bugs to the Git mailing list <git@vger.kernel.org> where the development and maintenance is primarily done. You do not have to be subscribed to the list to send a message there. Issues which are security relevant should be disclosed privately to the Git Security mailing list <git-security@googlegroups.com>. Do you mean that the discussion around that change suggested updating SubmittingPatches too? The "Sending your patches" section indeed mentions git@vger.kernel.org, so a mention of the security list would indeed be welcome there, even though typically the discussion has already started there before a patch is written. Thanks, Jonathan ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com 2018-05-27 15:34 ` Jonathan Nieder @ 2018-05-27 21:08 ` Thomas Gummerer 2018-05-28 3:00 ` Junio C Hamano 0 siblings, 1 reply; 11+ messages in thread From: Thomas Gummerer @ 2018-05-27 21:08 UTC (permalink / raw) To: Jonathan Nieder Cc: git, Junio C Hamano, Ævar Arnfjörð Bjarmason On 05/27, Jonathan Nieder wrote: > Thomas Gummerer wrote: > > > Add a mention of the security mailing list to the README. > > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", > > 2018-03-08) already added it to the man page, but I suspect that for > > many developers, such as myself, the README would be the first place > > to go looking for it. > > > > Use the same wording as we already have on the git-scm.com website and > > in the man page. > > > > Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> > > --- > > README.md | 3 +++ > > 1 file changed, 3 insertions(+) > > Reviewed-by: Jonathan Nieder <jrnieder@gmail.com> Thanks! > > 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", > > 2018-03-08) also mentions SubmittingPatches, but I think people are > > much more likely to submit a report of a security issue first, rather > > than sending a patch, for which I think the README is more useful. > > I don't see a mention of SubmittingPatches in "git show 2caa7b8d27" > output. git help git tells me: > > Report bugs to the Git mailing list <git@vger.kernel.org> > where the development and maintenance is primarily done. You > do not have to be subscribed to the list to send a message > there. > > Issues which are security relevant should be disclosed > privately to the Git Security mailing list > <git-security@googlegroups.com>. > > Do you mean that the discussion around that change suggested updating > SubmittingPatches too? The "Sending your patches" section indeed > mentions git@vger.kernel.org, so a mention of the security list would > indeed be welcome there, even though typically the discussion has > already started there before a patch is written. Yeah sorry, that's what I meant. https://public-inbox.org/git/20180308150820.22588-1-avarab@gmail.com/ is the reference I meant to put there. How about something like the below? This is tested with asciidoc 8.6.10 and asciidoctor 1.5.6.2. I'm also happy to squash the two patches into one if that's preferred. --->8--- The previous commit added a note about the Git Security mailing list to the README. Add it to Documentation/SubmittingPatches as well, so developers trying to submit a security relevant patch are pointed in the right direction. The wording is adjusted slightly compared to the git-scm.com website and the README, as they are talking about issues, while SubmittingPatches is talking about patches. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> --- Documentation/SubmittingPatches | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches index 945f8edb46..aeb7948d98 100644 --- a/Documentation/SubmittingPatches +++ b/Documentation/SubmittingPatches @@ -264,6 +264,11 @@ people who are involved in the area you are touching (the `git contacts` command in `contrib/contacts/` can help to identify them), to solicit comments and reviews. +:1: footnote:[The Git Security mailing list: git-security@googlegroups.com] + +Patches which are security relevant should be submitted privately to +the Git Security mailing list{1}. + :1: footnote:[The current maintainer: gitster@pobox.com] :2: footnote:[The mailing list: git@vger.kernel.org] -- 2.17.0.921.gf22659ad46 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com 2018-05-27 21:08 ` [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com Thomas Gummerer @ 2018-05-28 3:00 ` Junio C Hamano 2018-05-29 18:02 ` Thomas Gummerer 0 siblings, 1 reply; 11+ messages in thread From: Junio C Hamano @ 2018-05-28 3:00 UTC (permalink / raw) To: Thomas Gummerer Cc: Jonathan Nieder, git, Ævar Arnfjörð Bjarmason Thomas Gummerer <t.gummerer@gmail.com> writes: > Yeah sorry, that's what I meant. > https://public-inbox.org/git/20180308150820.22588-1-avarab@gmail.com/ > is the reference I meant to put there. > > How about something like the below? This is tested with asciidoc > 8.6.10 and asciidoctor 1.5.6.2. I'm also happy to squash the two > patches into one if that's preferred. > If the discussion in the proposed log message needs to be updated anyway, it is a good opportunity to make them into a single patch, as they share exactly the same objective. This is a tangent, but the use of footnote below looks a but curious. How would {1} reference pick which :1: to use? The closest preceding one? As this appears on a page that already has other footnotes attached to an adjacent paragraph, I am wondering if they should be made into a part of the same numbering sequence. > @@ -264,6 +264,11 @@ people who are involved in the area you are touching (the `git > contacts` command in `contrib/contacts/` can help to > identify them), to solicit comments and reviews. > > +:1: footnote:[The Git Security mailing list: git-security@googlegroups.com] > + > +Patches which are security relevant should be submitted privately to > +the Git Security mailing list{1}. > + > :1: footnote:[The current maintainer: gitster@pobox.com] > :2: footnote:[The mailing list: git@vger.kernel.org] Also, the placement of this new paragraph is rather odd. I am guessing that the reason why you put it _before_ the normal list address is to make sure those with secrets that must be guarded won't send it to the list first without thinking, but then this place is too late for that, as the previous paragraph already told the reader that the patch should be sent to the list and others but not necessarily to the maintainer. This should go one paragraph before that, at least. I briefly considered suggesting to move it even earlier, e.g. the beginning of "Sending your patches" section, but then by the time readers with potential security patches may have forgotten it, or worse, get confused by us, when we say "Send your patches with To: set to the list". So I dunno. The most conservative would be to write it at the beginning of the section and then repeat it just before "Send to the list, Cc releavant people" paragraph as a reminder. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com 2018-05-28 3:00 ` Junio C Hamano @ 2018-05-29 18:02 ` Thomas Gummerer 2018-05-29 18:05 ` Thomas Gummerer 2018-05-29 19:53 ` brian m. carlson 0 siblings, 2 replies; 11+ messages in thread From: Thomas Gummerer @ 2018-05-29 18:02 UTC (permalink / raw) To: Junio C Hamano Cc: Jonathan Nieder, git, Ævar Arnfjörð Bjarmason On 05/28, Junio C Hamano wrote: > Thomas Gummerer <t.gummerer@gmail.com> writes: > > > Yeah sorry, that's what I meant. > > https://public-inbox.org/git/20180308150820.22588-1-avarab@gmail.com/ > > is the reference I meant to put there. > > > > How about something like the below? This is tested with asciidoc > > 8.6.10 and asciidoctor 1.5.6.2. I'm also happy to squash the two > > patches into one if that's preferred. > > > > If the discussion in the proposed log message needs to be updated > anyway, it is a good opportunity to make them into a single patch, > as they share exactly the same objective. This was mostly a clarification of the note I added after the '---', but I'm happy to just make this one patch either way. > This is a tangent, but the use of footnote below looks a but > curious. How would {1} reference pick which :1: to use? The > closest preceding one? Tbh I didn't look at the docs for doing this, but just used the same syntax as we're already using and tried it with both asciidoc and asciidoctor. And yes it seems like it always picks the preceeding one. > As this appears on a page that already has other footnotes attached > to an adjacent paragraph, I am wondering if they should be made into > a part of the same numbering sequence. I have now actually looked at the docs, and this numbering has nothing to do with the footnote format, but rather is used to substitute the attribute that's specified in the curly braces with the text that's after :<attribute>: [1]. This initially confused me a bit. Maybe it would be nicer to give the attributes names instead of just numbers? As we keep adding footnotes, that would be less likely to produce conflicts between the different attributes I think. I'm also adding brian to the cc list, as he first converted this to AsciiDoc for opinions. [1]: https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#attributes-and-substitutions > > @@ -264,6 +264,11 @@ people who are involved in the area you are touching (the `git > > contacts` command in `contrib/contacts/` can help to > > identify them), to solicit comments and reviews. > > > > +:1: footnote:[The Git Security mailing list: git-security@googlegroups.com] > > + > > +Patches which are security relevant should be submitted privately to > > +the Git Security mailing list{1}. > > + > > :1: footnote:[The current maintainer: gitster@pobox.com] > > :2: footnote:[The mailing list: git@vger.kernel.org] > > Also, the placement of this new paragraph is rather odd. > > I am guessing that the reason why you put it _before_ the normal > list address is to make sure those with secrets that must be guarded > won't send it to the list first without thinking, but then this > place is too late for that, as the previous paragraph already told > the reader that the patch should be sent to the list and others but > not necessarily to the maintainer. This should go one paragraph > before that, at least. I briefly considered suggesting to move it > even earlier, e.g. the beginning of "Sending your patches" section, > but then by the time readers with potential security patches may > have forgotten it, or worse, get confused by us, when we say "Send > your patches with To: set to the list". So I dunno. The most > conservative would be to write it at the beginning of the section > and then repeat it just before "Send to the list, Cc releavant > people" paragraph as a reminder. Yeah I wasn't quite sure where to best fit this in. I'd be happy with it appearing twice. Will update this in v2. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com 2018-05-29 18:02 ` Thomas Gummerer @ 2018-05-29 18:05 ` Thomas Gummerer 2018-05-29 19:53 ` brian m. carlson 1 sibling, 0 replies; 11+ messages in thread From: Thomas Gummerer @ 2018-05-29 18:05 UTC (permalink / raw) To: Junio C Hamano Cc: Jonathan Nieder, git, Ævar Arnfjörð Bjarmason, brian m. carlson On 05/29, Thomas Gummerer wrote: > On 05/28, Junio C Hamano wrote: > > Thomas Gummerer <t.gummerer@gmail.com> writes: > > > > > Yeah sorry, that's what I meant. > > > https://public-inbox.org/git/20180308150820.22588-1-avarab@gmail.com/ > > > is the reference I meant to put there. > > > > > > How about something like the below? This is tested with asciidoc > > > 8.6.10 and asciidoctor 1.5.6.2. I'm also happy to squash the two > > > patches into one if that's preferred. > > > > > > > If the discussion in the proposed log message needs to be updated > > anyway, it is a good opportunity to make them into a single patch, > > as they share exactly the same objective. > > This was mostly a clarification of the note I added after the '---', > but I'm happy to just make this one patch either way. > > > This is a tangent, but the use of footnote below looks a but > > curious. How would {1} reference pick which :1: to use? The > > closest preceding one? > > Tbh I didn't look at the docs for doing this, but just used the same > syntax as we're already using and tried it with both asciidoc and > asciidoctor. And yes it seems like it always picks the preceeding > one. > > > As this appears on a page that already has other footnotes attached > > to an adjacent paragraph, I am wondering if they should be made into > > a part of the same numbering sequence. > > I have now actually looked at the docs, and this numbering has nothing > to do with the footnote format, but rather is used to substitute the > attribute that's specified in the curly braces with the text that's > after :<attribute>: [1]. This initially confused me a bit. Maybe it > would be nicer to give the attributes names instead of just numbers? > As we keep adding footnotes, that would be less likely to produce > conflicts between the different attributes I think. > > I'm also adding brian to the cc list, as he first converted this to > AsciiDoc for opinions. Now really adding the CC, I failed earlier. Sorry about the noise. > [1]: https://asciidoctor.org/docs/asciidoc-syntax-quick-reference/#attributes-and-substitutions ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com 2018-05-29 18:02 ` Thomas Gummerer 2018-05-29 18:05 ` Thomas Gummerer @ 2018-05-29 19:53 ` brian m. carlson 1 sibling, 0 replies; 11+ messages in thread From: brian m. carlson @ 2018-05-29 19:53 UTC (permalink / raw) To: Thomas Gummerer Cc: Junio C Hamano, Jonathan Nieder, git, Ævar Arnfjörð Bjarmason [-- Attachment #1: Type: text/plain, Size: 2064 bytes --] On Tue, May 29, 2018 at 07:02:03PM +0100, Thomas Gummerer wrote: > On 05/28, Junio C Hamano wrote: > > This is a tangent, but the use of footnote below looks a but > > curious. How would {1} reference pick which :1: to use? The > > closest preceding one? > > Tbh I didn't look at the docs for doing this, but just used the same > syntax as we're already using and tried it with both asciidoc and > asciidoctor. And yes it seems like it always picks the preceeding > one. Yes, I believe the attributes namespace is flat and substituted using the current version that's defined. I wouldn't rely extensively on that, though, so unique names are probably better. > > As this appears on a page that already has other footnotes attached > > to an adjacent paragraph, I am wondering if they should be made into > > a part of the same numbering sequence. > > I have now actually looked at the docs, and this numbering has nothing > to do with the footnote format, but rather is used to substitute the > attribute that's specified in the curly braces with the text that's > after :<attribute>: [1]. This initially confused me a bit. Maybe it > would be nicer to give the attributes names instead of just numbers? > As we keep adding footnotes, that would be less likely to produce > conflicts between the different attributes I think. > I'm also adding brian to the cc list, as he first converted this to > AsciiDoc for opinions. In AsciiDoc, footnotes use the named macro syntax. I thought it would be difficult to read to have the footnotes inline, so I chose to use an attribute to substitute them. I used numbers because we had a small number of them and the original footnotes were numbered. I was trying to make a minimal, faithful conversion. I have no objection to named footnotes and I agree they're easier to use if we have a large number of them. I think whatever we use, we should try to make them unique, as I mentioned above. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 867 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH v2 1/2] SubmittingPatches: replace numbered attributes with names 2018-05-27 14:04 [PATCH] README: note git-security@googlegroups.com Thomas Gummerer 2018-05-27 15:34 ` Jonathan Nieder @ 2018-05-30 20:52 ` Thomas Gummerer 2018-05-30 20:52 ` [PATCH v2 2/2] note git-security@googlegroups.com in more places Thomas Gummerer 1 sibling, 1 reply; 11+ messages in thread From: Thomas Gummerer @ 2018-05-30 20:52 UTC (permalink / raw) To: git Cc: Junio C Hamano, Ævar Arnfjörð Bjarmason, Jonathan Nieder, brian m. carlson, Thomas Gummerer Use names instead of numbers for the AsciiDoc attributes that are used for the footnotes. We will add more footnotes in subsequent commits, and attributes should ideally all be unique. Having named attributes will help ensure uniqueness, and we won't have to re-number the attributes if we add a footnote earlier in the document. In addition it also clarifies that the attribute name/number is not related to the number the footnote will get in the output. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> --- Thanks Junio, Jonathan and brian for the comments on the previous round at <20180527140433.32277-1-t.gummerer@gmail.com>. This round squashes the two patches I sent previously adding the mentions of the security mailing list into one, and adds this preparatory patch. The security mailing list is now mentioned twice in SubmittingPatches, to make sure people don't miss it, and the wording was adjusted to match the document better. Documentation/SubmittingPatches | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches index 945f8edb46..27553128f5 100644 --- a/Documentation/SubmittingPatches +++ b/Documentation/SubmittingPatches @@ -264,12 +264,12 @@ people who are involved in the area you are touching (the `git contacts` command in `contrib/contacts/` can help to identify them), to solicit comments and reviews. -:1: footnote:[The current maintainer: gitster@pobox.com] -:2: footnote:[The mailing list: git@vger.kernel.org] +:current-maintainer: footnote:[The current maintainer: gitster@pobox.com] +:git-ml: footnote:[The mailing list: git@vger.kernel.org] After the list reached a consensus that it is a good idea to apply the -patch, re-send it with "To:" set to the maintainer{1} and "cc:" the -list{2} for inclusion. +patch, re-send it with "To:" set to the maintainer{current-maintainer} and "cc:" the +list{git-ml} for inclusion. Do not forget to add trailers such as `Acked-by:`, `Reviewed-by:` and `Tested-by:` lines as necessary to credit people who helped your -- 2.17.0.1181.g093e983b0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH v2 2/2] note git-security@googlegroups.com in more places 2018-05-30 20:52 ` [PATCH v2 1/2] SubmittingPatches: replace numbered attributes with names Thomas Gummerer @ 2018-05-30 20:52 ` Thomas Gummerer 2018-05-30 23:37 ` brian m. carlson 0 siblings, 1 reply; 11+ messages in thread From: Thomas Gummerer @ 2018-05-30 20:52 UTC (permalink / raw) To: git Cc: Junio C Hamano, Ævar Arnfjörð Bjarmason, Jonathan Nieder, brian m. carlson, Thomas Gummerer Add a mention of the security mailing list to the README, and to Documentation/SubmittingPatches.. 2caa7b8d27 ("git manpage: note git-security@googlegroups.com", 2018-03-08) already added it to the man page, but for developers either the README, or the documentation on how to contribute (SubmittingPatches) may be the first place to look. Use the same wording as we already have on the git-scm.com website and in the man page for the README, while the wording is adjusted in SubmittingPatches to match the surrounding document better. Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> --- Documentation/SubmittingPatches | 13 +++++++++++++ README.md | 3 +++ 2 files changed, 16 insertions(+) diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches index 27553128f5..c8f9deb391 100644 --- a/Documentation/SubmittingPatches +++ b/Documentation/SubmittingPatches @@ -176,6 +176,12 @@ that is fine, but please mark it as such. [[send-patches]] === Sending your patches. +:security-ml: footnoteref:[security-ml,The Git Security mailing list: git-security@googlegroups.com] + +Before sending any patches, please note that patches that may be +security relevant should be submitted privately to the Git Security +mailing list{security-ml}, instead of the public mailing list. + Learn to use format-patch and send-email if possible. These commands are optimized for the workflow of sending patches, avoiding many ways your existing e-mail client that is optimized for "multipart/*" mime @@ -259,6 +265,13 @@ patch, format it as "multipart/signed", not a text/plain message that starts with `-----BEGIN PGP SIGNED MESSAGE-----`. That is not a text/plain, it's something else. +:security-ml-ref: footnoteref:[security-ml] + +As mentioned at the beginning of the section, patches that may be +security relevant should not be submitted to the public mailing list +mentioned below, but should instead be sent privately to the Git +Security mailing list{security-ml-ref}. + Send your patch with "To:" set to the mailing list, with "cc:" listing people who are involved in the area you are touching (the `git contacts` command in `contrib/contacts/` can help to diff --git a/README.md b/README.md index f17af66a97..f920a42fad 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,9 @@ the body to majordomo@vger.kernel.org. The mailing list archives are available at <https://public-inbox.org/git/>, <http://marc.info/?l=git> and other archival sites. +Issues which are security relevant should be disclosed privately to +the Git Security mailing list <git-security@googlegroups.com>. + The maintainer frequently sends the "What's cooking" reports that list the current status of various development topics to the mailing list. The discussion following them give a good reference for -- 2.17.0.1181.g093e983b0 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH v2 2/2] note git-security@googlegroups.com in more places 2018-05-30 20:52 ` [PATCH v2 2/2] note git-security@googlegroups.com in more places Thomas Gummerer @ 2018-05-30 23:37 ` brian m. carlson 2018-05-31 19:22 ` Thomas Gummerer 0 siblings, 1 reply; 11+ messages in thread From: brian m. carlson @ 2018-05-30 23:37 UTC (permalink / raw) To: Thomas Gummerer Cc: git, Junio C Hamano, Ævar Arnfjörð Bjarmason, Jonathan Nieder [-- Attachment #1: Type: text/plain, Size: 2348 bytes --] On Wed, May 30, 2018 at 09:52:55PM +0100, Thomas Gummerer wrote: > Add a mention of the security mailing list to the README, and to > Documentation/SubmittingPatches.. 2caa7b8d27 ("git manpage: note > git-security@googlegroups.com", 2018-03-08) already added it to the > man page, but for developers either the README, or the documentation > on how to contribute (SubmittingPatches) may be the first place to > look. > > Use the same wording as we already have on the git-scm.com website and > in the man page for the README, while the wording is adjusted in > SubmittingPatches to match the surrounding document better. > > Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> > --- > Documentation/SubmittingPatches | 13 +++++++++++++ > README.md | 3 +++ > 2 files changed, 16 insertions(+) > > diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches > index 27553128f5..c8f9deb391 100644 > --- a/Documentation/SubmittingPatches > +++ b/Documentation/SubmittingPatches > @@ -176,6 +176,12 @@ that is fine, but please mark it as such. > [[send-patches]] > === Sending your patches. > > +:security-ml: footnoteref:[security-ml,The Git Security mailing list: git-security@googlegroups.com] > + > +Before sending any patches, please note that patches that may be > +security relevant should be submitted privately to the Git Security > +mailing list{security-ml}, instead of the public mailing list. > + > Learn to use format-patch and send-email if possible. These commands > are optimized for the workflow of sending patches, avoiding many ways > your existing e-mail client that is optimized for "multipart/*" mime > @@ -259,6 +265,13 @@ patch, format it as "multipart/signed", not a text/plain message > that starts with `-----BEGIN PGP SIGNED MESSAGE-----`. That is > not a text/plain, it's something else. > > +:security-ml-ref: footnoteref:[security-ml] My only feedback here is that using the footnoteref syntax to refer to the previous footnote potentially makes this a little less readable for plain text users, although it also reduces duplication. I'm not sure I feel strongly one way or the other on this. Otherwise, this looked fine to me. -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 867 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH v2 2/2] note git-security@googlegroups.com in more places 2018-05-30 23:37 ` brian m. carlson @ 2018-05-31 19:22 ` Thomas Gummerer 0 siblings, 0 replies; 11+ messages in thread From: Thomas Gummerer @ 2018-05-31 19:22 UTC (permalink / raw) To: brian m. carlson, git, Junio C Hamano, Ævar Arnfjörð Bjarmason, Jonathan Nieder On 05/30, brian m. carlson wrote: > On Wed, May 30, 2018 at 09:52:55PM +0100, Thomas Gummerer wrote: > > Add a mention of the security mailing list to the README, and to > > Documentation/SubmittingPatches.. 2caa7b8d27 ("git manpage: note > > git-security@googlegroups.com", 2018-03-08) already added it to the > > man page, but for developers either the README, or the documentation > > on how to contribute (SubmittingPatches) may be the first place to > > look. > > > > Use the same wording as we already have on the git-scm.com website and > > in the man page for the README, while the wording is adjusted in > > SubmittingPatches to match the surrounding document better. > > > > Signed-off-by: Thomas Gummerer <t.gummerer@gmail.com> > > --- > > Documentation/SubmittingPatches | 13 +++++++++++++ > > README.md | 3 +++ > > 2 files changed, 16 insertions(+) > > > > diff --git a/Documentation/SubmittingPatches b/Documentation/SubmittingPatches > > index 27553128f5..c8f9deb391 100644 > > --- a/Documentation/SubmittingPatches > > +++ b/Documentation/SubmittingPatches > > @@ -176,6 +176,12 @@ that is fine, but please mark it as such. > > [[send-patches]] > > === Sending your patches. > > > > +:security-ml: footnoteref:[security-ml,The Git Security mailing list: git-security@googlegroups.com] > > + > > +Before sending any patches, please note that patches that may be > > +security relevant should be submitted privately to the Git Security > > +mailing list{security-ml}, instead of the public mailing list. > > + > > Learn to use format-patch and send-email if possible. These commands > > are optimized for the workflow of sending patches, avoiding many ways > > your existing e-mail client that is optimized for "multipart/*" mime > > @@ -259,6 +265,13 @@ patch, format it as "multipart/signed", not a text/plain message > > that starts with `-----BEGIN PGP SIGNED MESSAGE-----`. That is > > not a text/plain, it's something else. > > > > +:security-ml-ref: footnoteref:[security-ml] > > My only feedback here is that using the footnoteref syntax to refer to > the previous footnote potentially makes this a little less readable for > plain text users, although it also reduces duplication. I'm not sure I > feel strongly one way or the other on this. Yeah, using the plain footnote syntax we end up with two footnotes that are exactly the same, which felt a little awkward. But I don't feel strongly either, so if the consensus is to duplicate the footnote for better readability in plain text I'm happy to change that. To really improve the readability we'd probably have to duplicate the attribute as well, which I wanted to avoid (altough it's not completely possible with the footnoteref syntax either). > Otherwise, this looked fine to me. > -- > brian m. carlson: Houston, Texas, US > OpenPGP: https://keybase.io/bk2204 ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-05-31 19:22 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-05-27 14:04 [PATCH] README: note git-security@googlegroups.com Thomas Gummerer 2018-05-27 15:34 ` Jonathan Nieder 2018-05-27 21:08 ` [PATCH 2/1] SubmittingPatches: not git-security@googlegroups.com Thomas Gummerer 2018-05-28 3:00 ` Junio C Hamano 2018-05-29 18:02 ` Thomas Gummerer 2018-05-29 18:05 ` Thomas Gummerer 2018-05-29 19:53 ` brian m. carlson 2018-05-30 20:52 ` [PATCH v2 1/2] SubmittingPatches: replace numbered attributes with names Thomas Gummerer 2018-05-30 20:52 ` [PATCH v2 2/2] note git-security@googlegroups.com in more places Thomas Gummerer 2018-05-30 23:37 ` brian m. carlson 2018-05-31 19:22 ` Thomas Gummerer
Code repositories for project(s) associated with this public inbox https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).