There’s been some discussion on how to manage security issues through the GitHub Security Advisory mechanism.
The hardest part about this is that there are two steps (“Accept” from third party, “Request CVE”) that should be low-threshold, but from the way GitHub sets up things can only be done by members of a group whose role is Admin. We should keep Admin small because this grants a bunch of other privileges that a) probably not everyone should have, and b) people may not even want (like, I prefer to keep my privileges low for accounts I’m logged in with a lot).
The current proposal for workflow with these is:
- User reports a GSA
- Someone in the Owners or Maintainers does a few cheap steps
- Check whether the report is spam or plausibly a RIOT security issue. This doesn’t need to be thorough, like, no need to read any code, just reject if someone is obviously trolling. If it’s good,
- add a particular group to the report (see below)
- click “accept”
- click “request CVE” (unless one is assigned already, in which case the button is not there anyway)
- From there, maintainers can take it – adding comments, interacting with the reporter, editing the advisory, possibly going through the private fork which is yet something to be explored.
- When a fixed version is released, we’ll need someone from Owners or Maintainers again.
If the current Owners and Maintainers can do the assignment steps, I’d be glad to have the security group (currently just Kaspar and me) removed again, as it gives me more rights than I should have – but if not, I can stay there to help with the triage.
An open question is which group should be assigned – I wouldn’t view this as a secrecy concern (security issues are regularly discussed on the riot-maintainers channel; being a maintainer is good enough here) but as a concern of being pinged about every new security issue. What do you prefer there?
- Assign “all maintainers” to security issues (eg. because I prefer everyone to push security issues to the group)
- Assign a new subgroup of maintainers to security issues (eg. because I don’t want to be pinged about every security issue)
- Don’t care (eg. because I would enter the security team anyway and thus receive notifications)