From: Junio C Hamano <gitster@pobox.com>
To: Amir Montazery <amir@ostif.org>
Cc: git@vger.kernel.org
Subject: Re: Coordinated Security Audit for git. Contacts needed
Date: Thu, 21 Jul 2022 11:47:39 -0700 [thread overview]
Message-ID: <xmqqmtd2gv5g.fsf@gitster.g> (raw)
In-Reply-To: <CADKuG0vVGsC9tFr8bUrC48yhhkyg0Rrafyf39TYhPNXE1ak6mA@mail.gmail.com> (Amir Montazery's message of "Thu, 21 Jul 2022 13:06:41 -0500")
Amir Montazery <amir@ostif.org> writes:
>> There is no "community meetings" other than the informal "stand-up"
>> irc discussion that is biweekly. The log of the latest is at
>> https://colabti.org/irclogger/irclogger_log/git-devel?date=2022-07-18
>> but generally speaking we are not into "synchronous" communication.
The next one is on Aug 1st, it seems, according to https://tinyurl.com/gitCal
The Git Standup is currently happening every two weeks at 18:00 UTC
in the #git-devel channel on irc.libera.chat and its log can be
found at https://j.mp/gitdevlog
Coming to it may be a good way to "get to know" some folks who work
on the project.
> ... If anyone is interested in providing some direction
> or help with the source code review, supply chain security, or
> customizing a new setup of CodeQL for git, please let me know.
All new code (with a small exception) go through the patch review on
this list, so reviewing patches posted here and archived at
https://lore.kernel.org/git/
with special focus on the security aspect (which is the forte of
you folks) may be great. A patchwork instance that captures the
traffic can be seen at
https://patchwork.kernel.org/project/git/list/
I am not sure what the best place to start in auditing existing
codebase, though.
Even though linking with libraries that are unpatched for known
vulnerabilities and/or are compromised would be a problem for
end-users, because we as the project only make sourc releases and do
not make binary distribution, supply-chain issues may not be as big
an issue to the project. Our friends at the "Git for Windows"
project does one for their platform, and may use your help in the
area, though.
Thanks.
prev parent reply other threads:[~2022-07-21 18:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-21 16:49 Coordinated Security Audit for git. Contacts needed Amir Montazery
2022-07-21 17:47 ` Junio C Hamano
2022-07-21 18:06 ` Amir Montazery
2022-07-21 18:47 ` Junio C Hamano [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=xmqqmtd2gv5g.fsf@gitster.g \
--to=gitster@pobox.com \
--cc=amir@ostif.org \
--cc=git@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).