Update SECURITY.md with anza links and names#27
Conversation
willhickey
force-pushed
the
whickey/security_policy
branch
from
3f7deb3 to
3082fbe
Compare
willhickey
force-pushed
the
whickey/security_policy
branch
from
3082fbe to
b41580c
Compare
| Once the fix is accepted, a member of the solana-labs/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident. | ||
| Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the solana-labs/admins group if you require access to release.solana.com | ||
| Once the fix is accepted, a member of the anza-xyz/security-incident-response group should prepare a single patch file for each affected branch. The commit title for the patch should only contain the advisory id, and not disclose any further details about the incident. | ||
| Copy the patches to https://release.solana.com/ under a subdirectory named after the advisory id (example: https://release.solana.com/GHSA-hx59-f5g4-jghh/v1.4.patch). Contact a member of the anza-xyz/admins group if you require access to release.solana.com |
There was a problem hiding this comment.
have some concerns here:
- I think we shouldn't give the write permission of release bucket to any others. maybe we can have another bucket for it 🤔
- if we think that's fine, we will need to update it to https://release.anza.xyz. (the line 74 need to be updated as well)
There was a problem hiding this comment.
Yeah good call.
@t-nelson Have we been following this guidance on releasing patch files? I've never done it.
There was a problem hiding this comment.
we really only use these instructions for loss of funds. afaik we've never actually hosted a patch file. we just attach it directly to a message in the chat
There was a problem hiding this comment.
I ripped out that whole section. It was overly prescriptive and not representative of how we've been doing things. The new language better reflects the judgement calls we make when shipping patches.
willhickey
force-pushed
the
whickey/security_policy
branch
from
88eb104 to
4c0a228
Compare
yihau
left a comment
yihau
left a comment
There was a problem hiding this comment.
LGTM! just need to check it we have the email alias for security@anza.xyz 📫
Switched it to security@solana.com (there's a Slack conversation in |
There was a problem hiding this comment.
sorry for missing this one. am I correct that we won't have an email for security@anza.xyz? (fwiw, we have set up an email for maintainers@anza.xyz)
4 participants
Problem
Summary of Changes