www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - Security point of contact

reply Cym13 <cpicard openmailbox.org> writes:
Yop.

I need to discuss an issue related to dub. No need to alarm 
everyone yet, that only concerns 1.3% of dub projects, but still 
it's something that shouldn't be taken lightly.

Who should I contact?

I'd very very much like to have something like a 
security dlang.org for such things, it's not the first and likely 
not the last time this need arises, and the lack of a clear 
procedure doesn't encourage coordinated disclosure.
Jun 09 2018
next sibling parent reply Seb <seb wilzba.ch> writes:
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
 Yop.

 I need to discuss an issue related to dub. No need to alarm 
 everyone yet, that only concerns 1.3% of dub projects, but 
 still it's something that shouldn't be taken lightly.

 Who should I contact?
Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbach
 I'd very very much like to have something like a 
 security dlang.org for such things, it's not the first and 
 likely not the last time this need arises, and the lack of a 
 clear procedure doesn't encourage coordinated disclosure.
I will try to get this email address setup. At least we already have an official GPG keyring: https://dlang.org/gpg_keys.html
Jun 09 2018
parent reply Cym13 <cpicard openmailbox.org> writes:
On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
 On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
 Yop.

 I need to discuss an issue related to dub. No need to alarm 
 everyone yet, that only concerns 1.3% of dub projects, but 
 still it's something that shouldn't be taken lightly.

 Who should I contact?
Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbach
Thank you, the mail should be in your box already.
 I'd very very much like to have something like a 
 security dlang.org for such things, it's not the first and 
 likely not the last time this need arises, and the lack of a 
 clear procedure doesn't encourage coordinated disclosure.
I will try to get this email address setup. At least we already have an official GPG keyring: https://dlang.org/gpg_keys.html
Having the address will be a very good start, thank you. For comparison the PHP project has two things that I enjoyed when disclosing bugs: 1. Security guidelines (https://wiki.php.net/security) that clearly state what they consider a vulnerability and what isn't. I find it very well designed and it could be an inspiration for a D security guideline even though we're not having too many vulnerabilities disclosed right now as far as I know. 2. They configured their bugzilla so that when the category "security" is used the bug is made private and only the proper team is put in copy. I don't know how easy it is so an email address seems more practical right now I think. Note that this is in complement to security php.net which they use mostly for security related talk but not bug reports. Anyway, I'm not sure we need all this right now, but I'd rather start the discussion early.
Jun 09 2018
next sibling parent Cym13 <cpicard openmailbox.org> writes:
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:
 Thank you, the mail should be in your box already.
Well, apparently gmail considered it spam, so it shouldn't be in your box. But I'm sure Sönke or Martin will be able to transfer it.
Jun 09 2018
prev sibling parent Seb <seb wilzba.ch> writes:
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:
 On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
 On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
 Yop.

 I need to discuss an issue related to dub. No need to alarm 
 everyone yet, that only concerns 1.3% of dub projects, but 
 still it's something that shouldn't be taken lightly.

 Who should I contact?
Sönke, Martin und myself. https://github.com/s-ludwig (look in the DUB git log for his email address) https://github.com/MartinNowak https://github.com/wilzbach
Thank you, the mail should be in your box already.
Sorry - I never got a mail :/ Which address did you use? In doubt, this is my official one: https://seb.wilzba.ch/contact/
Jun 10 2018
prev sibling parent reply Vladimir Panteleev <thecybershadow.lists gmail.com> writes:
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
 Who should I contact?

 I'd very very much like to have something like a 
 security dlang.org for such things, it's not the first and 
 likely not the last time this need arises, and the lack of a 
 clear procedure doesn't encourage coordinated disclosure.
Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.
Jun 09 2018
parent reply Cym13 <cpicard openmailbox.org> writes:
On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:
 On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
 Who should I contact?

 I'd very very much like to have something like a 
 security dlang.org for such things, it's not the first and 
 likely not the last time this need arises, and the lack of a 
 clear procedure doesn't encourage coordinated disclosure.
Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.
This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person. Furthermore the list doesn't provide any direct way to contact any of those people, which isn't surprising but adds friction. In the best case the email is visible on their github account, in the worst you need to look at commits and hope the email is still valid and the one the person expects to be contact with. The alternatives are 1) opening a public issue on issues.dlang.org, which I did many times where I judged that it was acceptable given the issue but I'm never at ease doing it, or 2) asking as I just did. I can say with certainty that the current process is a deterrent. In the past I decided not to discuss some issues because of it (hopefully not to important otherwise I'd have pressed the matter and remember what it was about, but judging importance isn't easy). Security is the thing nobody wants to have to think about, but it's important nonetheless, so I think it's worth improving the process on that point. After all, all issues found and disclosed by external people are issues you don't have to find yourself ;)
Jun 09 2018
parent Seb <seb wilzba.ch> writes:
On Sunday, 10 June 2018 at 00:59:11 UTC, Cym13 wrote:
 On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev 
 wrote:
 [...]
This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person. [...]
Another step at setting such a security point of contact up: https://github.com/dlang/dlang.org/pull/2398 Input is welcome.
Jun 28 2018