Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Contrib: Add process for security responses. #12487

Merged
merged 2 commits into from
Aug 25, 2023
Merged

Conversation

ehuss
Copy link
Contributor

@ehuss ehuss commented Aug 12, 2023

This adds some documentation to give some guidance and checklists for how a security issue is handled.

@rustbot
Copy link
Collaborator

rustbot commented Aug 12, 2023

r? @weihanglo

(rustbot has picked a reviewer for you, use r? to override)

@rustbot rustbot added A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 12, 2023
@ehuss
Copy link
Contributor Author

ehuss commented Aug 12, 2023

cc @rust-lang/security, would love if you have any feedback.

My brain turned to mush while writing this, so I imagine there are things missing or confusing.

@epage
Copy link
Contributor

epage commented Aug 13, 2023

Thanks for writing this up! From my limited perspective, it looked good to go

Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this. I love the write-up!

I am a bit worried about it getting out of sync with the actual procedure of security WG.Should this be documented in security WG's readme or elsewhere? Do they have any public docs for this purpose? I would be better if we doc only the part relevant to cargo, and link to their own doc.

@ehuss
Copy link
Contributor Author

ehuss commented Aug 15, 2023

I am a bit worried about it getting out of sync with the actual procedure of security WG.Should this be documented in security WG's readme or elsewhere? Do they have any public docs for this purpose? I would be better if we doc only the part relevant to cargo, and link to their own doc.

Their public docs are linked at the beginning of this doc (https://github.com/rust-lang/wg-security-response/blob/main/docs/handling-reports.md). Theirs is oriented towards WG members, and this was oriented specifically for cargo team members. I agree there is risk that this information becomes stale. There are some unique properties of the cargo project that make this a bit complicated (for example, our branching and release process, version bumping, etc.). I tried to write this as much as "There is a rough outline of what the WG does. This fills in all the in-between bits that are specific to cargo."

@weihanglo
Copy link
Member

@bors try

{{ github.sha }} should be a merge commit that never touched cargo-credential. I have no idea how it ended up there.

@weihanglo
Copy link
Member

@bors try

@bors
Copy link
Contributor

bors commented Aug 15, 2023

⌛ Trying commit 0fe0fca with merge 2bab44a...

bors added a commit that referenced this pull request Aug 15, 2023
Contrib: Add process for security responses.

This adds some documentation to give some guidance and checklists for how a security issue is handled.
@bors
Copy link
Contributor

bors commented Aug 15, 2023

💥 Test timed out

@weihanglo
Copy link
Member

@bors retry

Going to merge this as Manishearth already approved

@bors
Copy link
Contributor

bors commented Aug 25, 2023

⌛ Trying commit 0fe0fca with merge 796c835...

bors added a commit that referenced this pull request Aug 25, 2023
Contrib: Add process for security responses.

This adds some documentation to give some guidance and checklists for how a security issue is handled.
@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Contributor

bors commented Aug 25, 2023

📌 Commit 0fe0fca has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 25, 2023
@bors
Copy link
Contributor

bors commented Aug 25, 2023

⌛ Testing commit 0fe0fca with merge e3b3ed8...

@bors
Copy link
Contributor

bors commented Aug 25, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing e3b3ed8 to master...

@bors bors merged commit e3b3ed8 into rust-lang:master Aug 25, 2023
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 26, 2023
Update cargo

13 commits in 2cc50bc0b63ad20da193e002ba11d391af0104b7..925280f028db3a322935e040719a0754703947cf
2023-08-22 22:43:08 +0000 to 2023-08-25 21:16:44 +0000
- string leek is stable (rust-lang/cargo#12559)
- refactor: Pull out cargo-add MSRV code for reuse (rust-lang/cargo#12553)
- Contrib: Add process for security responses. (rust-lang/cargo#12487)
- Support dependencies from registries for artifact dependencies, take 2 (rust-lang/cargo#12421)
- fix(toml): Improve parse errors (rust-lang/cargo#12556)
- Create dedicated unstable flag for asymmetric-token (rust-lang/cargo#12551)
- chore(deps): update latest msrv to v1.72.0 (rust-lang/cargo#12549)
- changelog: add link to CVE-2023-40030 (rust-lang/cargo#12550)
- refactor(install): Move value parsing to clap (rust-lang/cargo#12547)
- fix: Set MSRV for internal packages (rust-lang/cargo#12381)
- doc: fix two links to tracing docs (rust-lang/cargo#12537)
- use AND search when having multiple terms (rust-lang/cargo#12548)
- fix(log): Use a more compact relative-time format (rust-lang/cargo#12542)

r? ghost
@ehuss ehuss added this to the 1.74.0 milestone Sep 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants