dev:security
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
dev:security [2012/12/17 12:30] – created jgodin | dev:security [2023/06/01 13:22] (current) – [How are security fixes released?] master to main dyrcona | ||
---|---|---|---|
Line 1: | Line 1: | ||
=====How the Evergreen Project Handles Security-related Bugs===== | =====How the Evergreen Project Handles Security-related Bugs===== | ||
- | |||
- | **This document is a work in progress as of 17-Dec-2012** | ||
====How do I report a security-related issue in Evergreen? | ====How do I report a security-related issue in Evergreen? | ||
You can report a security-related issue in Evergreen via the bug tracking system at https:// | You can report a security-related issue in Evergreen via the bug tracking system at https:// | ||
+ | |||
+ | While we prefer that security bugs be reported via Launchpad, they can also be reported to [[mailto: | ||
NOTE: If you are an active Evergreen "bug wrangler" | NOTE: If you are an active Evergreen "bug wrangler" | ||
Line 27: | Line 27: | ||
====How are security releases tested?==== | ====How are security releases tested?==== | ||
- | Security releases are tested to the best of the security | + | When a fix for the security release |
- | + | ||
- | * No public beta / release | + | |
- | * In addition | + | |
====How are security fixes released? | ====How are security fixes released? | ||
- | When a security bug is fixed and that fix is released, it is included in a point release of Evergreen. | + | After testing, the code will be merged to the relevant public |
====How are security releases announced? | ====How are security releases announced? | ||
Security releases are are announced via the Evergreen blog and via e-mail to the open-ils-general mailing list. | Security releases are are announced via the Evergreen blog and via e-mail to the open-ils-general mailing list. | ||
+ | |||
+ | ==== Security team ==== | ||
+ | |||
+ | //This section was proposed on 2015-03-12// | ||
+ | |||
+ | The purpose of the Evergreen security team is to review reports of | ||
+ | specific security flaws in Evergreen, to write and test patches to fix | ||
+ | or ameliorate those flaws, and to perform security releases. | ||
+ | |||
+ | Membership in the Evergreen security team is available to individuals | ||
+ | who meet all of the following conditions: | ||
+ | |||
+ | - They request membership. | ||
+ | -They promise to adhere to the consensus of the security team regarding when to publicly disclose security issues. | ||
+ | - They promise to maintain the confidentially of discussions on the open-ils-security mailing list and security bugs on LaunchPad. | ||
+ | - They promise to provide assistance to the security team. Such help can take the form of provide substantive commentary on reported security issues, writing patches, testing and reviewing them, writing security documentation, | ||
+ | - They operate or support the operation of at least one production Evergreen system known to at least one other current member of the security team. | ||
+ | - They already have access to various tools required to participating in a meaningful fashion, to wit: a registered account on LaunchPad and at least one public key registered with the Evergreen Git server. | ||
+ | - The current members of the security team come to a consensus to admit the new member. The security team reserves the right to reject applications, | ||
+ | |||
+ | Membership applications may be made by contacting one of the current | ||
+ | security team members; a list of the current members' | ||
+ | maintained on the Evergreen wiki. [(**Proposed addition, pending approval**) Application for membership should include indication that you have read and agree to the conditions stated above.] | ||
+ | |||
+ | Violations of the promises in (2) and (3) may result in immediate | ||
+ | expulsion from the security team. | ||
+ | |||
+ | Membership in the security team belongs to individuals, | ||
+ | institutions. | ||
+ | will actively participate at least part of the time; it is not to be | ||
+ | treated simply as a means of gaining early access to information about | ||
+ | security vulnerabilities in Evergreen. | ||
+ | |||
+ | The team membership list will be reviewed annually; members who have | ||
+ | not made substantive contributions to the team may be dropped from the | ||
+ | list, but are free to apply to rejoin. | ||
+ | |||
+ | Members of the security team will have access to the following | ||
+ | restricted resources in order to carry out their work: | ||
+ | |||
+ | * membership in the private security group on LaunchPad, which will allow them to see and act on bugs that are marked as private security bugs | ||
+ | * a subscription and access to the private archives of the open-ils-security mailing list | ||
+ | * access to the Git repositories hosting security patches in progress. | ||
+ | |||
+ | ==== Current security team members ==== | ||
+ | |||
+ | * Thomas Berezansky | ||
+ | * Galen Charlton | ||
+ | * Jeff Davis | ||
+ | * Bill Erickson | ||
+ | * Jeff Godin | ||
+ | * Rogan Hamby | ||
+ | * Kathy Lussier | ||
+ | * Mike Rylander | ||
+ | * Dan Scott | ||
+ | * Chris Sharp | ||
+ | * Ben Shum | ||
+ | * Jason Stephenson | ||
+ | * Yamil Suarez | ||
+ | * Dan Wells | ||
+ | * Liam Whalen |
dev/security.1355765458.txt.gz · Last modified: 2022/02/10 13:34 (external edit)