[gdal-dev] How to deal with security related bug reports?
Even Rouault
even.rouault at spatialys.com
Thu Jul 29 10:20:07 PDT 2021
I've created https://github.com/OSGeo/gdal/pull/4152 with a SECURITY.md
that largely uses Kurt's proposal.
Even
Le 28/07/2021 à 19:37, Even Rouault a écrit :
> PSC,
>
> We just got https://github.com/OSGeo/gdal/issues/4146 from someone
> trying to get in touch with a security issue. How do we want to deal
> with that ? Personally dealing with all the secrecy about security
> issues is not super appealing and my natural inclination would be to
> deal with them as any other issue.
>
> An alternative, used by Mapserver, would be to setup a dedicated
> private github repository, where we would invite only users (but they
> are likely able to see all issues, not just theirs). Or perhaps just
> make a repository accessible to PSC / trusted developers, interact
> with the reporter through email (who wants to be in the email loop?)
> and paste there the report and updates, but that becomes cumbersome.
>
> Another point, assuming we have a private issue tracker, is, assuming
> the issue is confirmed and we have a fix for it, how do we deal with
> it ? My inclination would be to just commit the fix (the issue would
> become more or less public once a candidate pull request is issued)
> and not issue a dedicated release, but use our regular bugfix releases.
>
> Thoughts ?
>
> Even
>
--
http://www.spatialys.com
My software is free, but my time generally not.
More information about the gdal-dev
mailing list