mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 08:23:09 +00:00
doc/vulnerability-roundup: Rough move to new contribution doc files
No content was changed, new titles are wrapped with () to signal that they will need to be decided on in a future commit. Section in the manual have been preserved with a simple redirect to GitHub, the proper anchors should be filled out in a future commit once the new section names are decided.
This commit is contained in:
parent
86f14e461e
commit
129da60f57
@ -1,45 +1,11 @@
|
||||
# Vulnerability Roundup {#chap-vulnerability-roundup}
|
||||
|
||||
This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md).
|
||||
|
||||
## Issues {#vulnerability-roundup-issues}
|
||||
|
||||
Vulnerable packages in Nixpkgs are managed using issues.
|
||||
Currently opened ones can be found using the following:
|
||||
|
||||
[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22)
|
||||
|
||||
Each issue correspond to a vulnerable version of a package; As a consequence:
|
||||
|
||||
- One issue can contain several CVEs;
|
||||
- One CVE can be shared across several issues;
|
||||
- A single package can be concerned by several issues.
|
||||
|
||||
|
||||
A "Vulnerability roundup" issue usually respects the following format:
|
||||
|
||||
```txt
|
||||
<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>
|
||||
|
||||
<list of related CVEs, their CVSS score, and the impacted NixOS version>
|
||||
|
||||
<list of the scanned Nixpkgs versions>
|
||||
|
||||
<list of relevant contributors>
|
||||
```
|
||||
|
||||
Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.
|
||||
|
||||
This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md).
|
||||
|
||||
## Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing}
|
||||
|
||||
**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable).
|
||||
If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.
|
||||
|
||||
If you are investigating a "true positive":
|
||||
|
||||
- Find the earliest patched version or a code patch in the CVE details;
|
||||
- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch?
|
||||
- **No**:
|
||||
- [Submit a security fix](#submitting-changes-submitting-security-fixes);
|
||||
- Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches);
|
||||
- **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches).
|
||||
- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).
|
||||
This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md).
|
||||
|
@ -765,3 +765,49 @@ Security fixes are submitted in the same way as other changes and thus the same
|
||||
If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
|
||||
|
||||
Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`.
|
||||
|
||||
### Vulnerability Roundup {#chap-vulnerability-roundup}
|
||||
|
||||
#### Issues {#vulnerability-roundup-issues}
|
||||
|
||||
Vulnerable packages in Nixpkgs are managed using issues.
|
||||
Currently opened ones can be found using the following:
|
||||
|
||||
[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22)
|
||||
|
||||
Each issue correspond to a vulnerable version of a package; As a consequence:
|
||||
|
||||
- One issue can contain several CVEs;
|
||||
- One CVE can be shared across several issues;
|
||||
- A single package can be concerned by several issues.
|
||||
|
||||
|
||||
A "Vulnerability roundup" issue usually respects the following format:
|
||||
|
||||
```txt
|
||||
<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>
|
||||
|
||||
<list of related CVEs, their CVSS score, and the impacted NixOS version>
|
||||
|
||||
<list of the scanned Nixpkgs versions>
|
||||
|
||||
<list of relevant contributors>
|
||||
```
|
||||
|
||||
Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.
|
||||
|
||||
|
||||
#### Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing}
|
||||
|
||||
**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable).
|
||||
If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.
|
||||
|
||||
If you are investigating a "true positive":
|
||||
|
||||
- Find the earliest patched version or a code patch in the CVE details;
|
||||
- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch?
|
||||
- **No**:
|
||||
- [Submit a security fix](#submitting-changes-submitting-security-fixes);
|
||||
- Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches);
|
||||
- **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches).
|
||||
- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).
|
||||
|
Loading…
Reference in New Issue
Block a user