[gdal-dev] How to deal with security related bug reports?

Even Rouault even.rouault at spatialys.com
Thu Jul 29 10:20:07 PDT 2021


I've created https://github.com/OSGeo/gdal/pull/4152 with a SECURITY.md 
that largely uses Kurt's proposal.

Even

Le 28/07/2021 à 19:37, Even Rouault a écrit :
> PSC,
>
> We just got https://github.com/OSGeo/gdal/issues/4146 from someone 
> trying to get in touch with a security issue. How do we want to deal 
> with that ? Personally dealing with all the secrecy about security 
> issues is not super appealing and my natural inclination would be to 
> deal with them as any other issue.
>
> An alternative, used by Mapserver, would be to setup a dedicated 
> private github repository, where we would invite only users (but they 
> are likely able to see all issues, not just theirs). Or perhaps just 
> make a repository accessible to PSC / trusted developers, interact 
> with the reporter through email (who wants to be in the email loop?) 
> and paste there the report and updates, but that becomes cumbersome.
>
> Another point, assuming we have a private issue tracker, is, assuming 
> the issue is confirmed and we have a fix for it, how do we deal with 
> it ? My inclination would be to just commit the fix (the issue would 
> become more or less public once a candidate pull request is issued) 
> and not issue a dedicated release, but use our regular bugfix releases.
>
> Thoughts ?
>
> Even
>
-- 
http://www.spatialys.com
My software is free, but my time generally not.



More information about the gdal-dev mailing list