[gdal-dev] How to deal with security related bug reports?
Even Rouault
even.rouault at spatialys.com
Wed Jul 28 10:37:44 PDT 2021
PSC,
We just got https://github.com/OSGeo/gdal/issues/4146 from someone
trying to get in touch with a security issue. How do we want to deal
with that ? Personally dealing with all the secrecy about security
issues is not super appealing and my natural inclination would be to
deal with them as any other issue.
An alternative, used by Mapserver, would be to setup a dedicated private
github repository, where we would invite only users (but they are likely
able to see all issues, not just theirs). Or perhaps just make a
repository accessible to PSC / trusted developers, interact with the
reporter through email (who wants to be in the email loop?) and paste
there the report and updates, but that becomes cumbersome.
Another point, assuming we have a private issue tracker, is, assuming
the issue is confirmed and we have a fix for it, how do we deal with it
? My inclination would be to just commit the fix (the issue would become
more or less public once a candidate pull request is issued) and not
issue a dedicated release, but use our regular bugfix releases.
Thoughts ?
Even
--
http://www.spatialys.com
My software is free, but my time generally not.
More information about the gdal-dev
mailing list