Re: GithHub / private repos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mi, 30.01.19 23:10, Alex Dzyoba (alex@xxxxxxxxxx) wrote:

> If we're actually discussing private repos for reporting security issues then
> Github product is not helpful. It seems that most of the projects use private
> mailing lists for that. For example, Linux kernel has security@xxxxxxxxxx and
> another one for coordination with distributions - more details here
> https://www.kernel.org/doc/html/v4.18/admin-guide/security-bugs.html
>
> So I think something like systemd-security@xxxxxxxxxxxxxxxxxxxxx is
> the way to go.

Well, sure, but mailing lists suck for tracking tickets.

We currently request people to submit security issues via distro's bug
trackers. See this:

https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports

I am pretty sure that that's still better than just having an ML in
place for that instead.

We also have a private GitLab copy of the GitHub repo now, which we
add people to that report security issues. But quite frankly it sucks,
since it lacks the CI integration and stuff.

It's kinda sad that GitHub doesn't really have anything in this area
to make this easier. I mean, we can't be the only project in the world
which would like to handle security issues privately and on the same
platform as everything else...

Lennart

--
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux