From: Julia Ramer <prplr@github.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Julia Ramer via GitGitGadget <gitgitgadget@gmail.com>,
git@vger.kernel.org, git-security@googlegroups.com,
Johannes Schindelin <Johannes.Schindelin@gmx.de>,
Keanen Wold <keanenwold@github.com>,
Veronica Giaudrone <veronica.Giaudrone@microsoft.com>,
Bri Brothers <brbrot@microsoft.com>,
Taylor Blau <me@ttaylorr.com>, Julia Ramer <gitprplr@gmail.com>
Subject: Re: [PATCH v3] embargoed releases: also describe the git-security list and the process
Date: Mon, 24 Oct 2022 13:18:21 -0700 [thread overview]
Message-ID: <CADq8SzV06zTHmG+uSW==R5sL=MveuA9VSMhpV8hck+rzvVSp4Q@mail.gmail.com> (raw)
In-Reply-To: <xmqqo7u5m8ku.fsf@gitster.g>
On Fri, Oct 21, 2022 at 9:42 AM Junio C Hamano <gitster@pobox.com> wrote:
>
> > +- Code review can take place in a variety of different locations,
> > + depending on context. These are: patches sent inline on the
> > + git-security list, a private fork on GitHub associated with the
> > + draft security advisory, or the git/cabal repository.
>
> Here, we name "the git/cabal repository" but the word never appears
> again in the document, we later refer to the same thing "private
> repositories that are owned by the Git project, with tightly
> controlled access", but to outsiders, it is not clear that they are
> the same thing. Perhaps writing
>
> ..., or the git/cabal repository (private repository owned by
> the Git project with tightly controlled access).
>
> here, and replacing the later reference with just "the git/cabal
> repository", would be sufficient.
Fixed in the next version!
> > + Contributors working on a fix should consider beginning by sending
> > + patches to the git-security list (inline with the original thread),
> > + since they are accessible to all subscribers, along with the original
> > + reporter.
>
> Or we can make it a separate bullet point, which may make it simpler
> to read in the source form.
Fixed, thanks for pointing that out.
> > +- Once the review has settled and everyone involved in the review agrees that
> > + the patches are ready, the Git maintainer, and others determine a release date
> > + as well as the release trains that are serviced. The decision regarding which
>
> We typically know how involved the final changes would be (i.e. the
> minimum time it would take for us and involved others to prepare the
> release) way before all the t's are crossed and i's are dotted in
> the patches, so setting the release date may be done much earlier.
Distilled into s/ready/nearing the finish line/
>
> > +- Less than a week before the release, a mail with the relevant information is
> > + sent to <distros@vs.openwall.org> (see below), a list used to pre-announce
> > + embargoed releases of open source projects to the stakeholders of all major
> > + distributions of Linux as well as other OSes. This includes a Git bundle
> > + of the tagged version(s), but no further specifics of the vulnerability.
>
> I am not sure how much value it adds to have ", but no further..."
> at the end. Anybody who sees this e-mail has the Git bundle, which
> is relative to the last stable release, and can be used to create
> the full source of the releases by anybody who has access to the
> public Git repositories. The source includes the release notes in
> the Documentation/RelNotes/ directory that describe everything to
> know about the vulnerabilities the releases address.
I think it makes sense to just remove the entire last sentence, as the
relevant information is referenced in the parenthetical "(see below)".
next prev parent reply other threads:[~2022-10-24 22:06 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 22:39 [PATCH] embargoed releases: also describe the git-security list and the process Julia Ramer via GitGitGadget
2022-09-02 17:24 ` Junio C Hamano
2022-09-27 22:56 ` Julia Ramer
2022-09-28 17:12 ` Junio C Hamano
2022-10-18 20:43 ` Julia Ramer
2022-10-19 15:47 ` Junio C Hamano
2022-09-02 18:59 ` Junio C Hamano
2022-09-03 9:29 ` Johannes Schindelin
2022-09-05 20:28 ` Junio C Hamano
2022-10-19 1:16 ` [PATCH v2] " Julia Ramer via GitGitGadget
2022-10-19 18:53 ` Junio C Hamano
2022-10-19 21:22 ` Taylor Blau
2022-10-19 22:01 ` Junio C Hamano
2022-10-19 21:15 ` Taylor Blau
2022-10-19 21:50 ` Junio C Hamano
2022-10-20 17:06 ` Taylor Blau
2022-10-21 7:41 ` [PATCH v3] " Julia Ramer via GitGitGadget
2022-10-21 16:42 ` Junio C Hamano
2022-10-24 20:18 ` Julia Ramer [this message]
2022-10-24 22:56 ` Junio C Hamano
2022-10-22 0:11 ` Taylor Blau
2022-10-24 20:19 ` Julia Ramer
2022-10-24 22:07 ` [PATCH v4] " Julia Ramer via GitGitGadget
2022-10-24 23:08 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADq8SzV06zTHmG+uSW==R5sL=MveuA9VSMhpV8hck+rzvVSp4Q@mail.gmail.com' \
--to=prplr@github.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=brbrot@microsoft.com \
--cc=git-security@googlegroups.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitprplr@gmail.com \
--cc=gitster@pobox.com \
--cc=keanenwold@github.com \
--cc=me@ttaylorr.com \
--cc=veronica.Giaudrone@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).