Security point of contact
Cym13
cpicard at openmailbox.org
Sat Jun 9 23:19:34 UTC 2018
On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>> Yop.
>>
>> I need to discuss an issue related to dub. No need to alarm
>> everyone yet, that only concerns 1.3% of dub projects, but
>> still it's something that shouldn't be taken lightly.
>>
>> Who should I contact?
>
> Sönke, Martin und myself.
>
> https://github.com/s-ludwig (look in the DUB git log for his
> email address)
> https://github.com/MartinNowak
> https://github.com/wilzbach
Thank you, the mail should be in your box already.
>> I'd very very much like to have something like a
>> security at dlang.org for such things, it's not the first and
>> likely not the last time this need arises, and the lack of a
>> clear procedure doesn't encourage coordinated disclosure.
>
> I will try to get this email address setup.
> At least we already have an official GPG keyring:
>
> https://dlang.org/gpg_keys.html
Having the address will be a very good start, thank you.
For comparison the PHP project has two things that I enjoyed when
disclosing bugs:
1. Security guidelines (https://wiki.php.net/security) that
clearly state
what they consider a vulnerability and what isn't. I find it
very well
designed and it could be an inspiration for a D security
guideline even
though we're not having too many vulnerabilities disclosed
right now as
far as I know.
2. They configured their bugzilla so that when the category
"security" is
used the bug is made private and only the proper team is put
in copy. I
don't know how easy it is so an email address seems more
practical right
now I think. Note that this is in complement to
security at php.net which
they use mostly for security related talk but not bug reports.
Anyway, I'm not sure we need all this right now, but I'd rather
start the discussion early.
More information about the Digitalmars-d
mailing list