[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security release procedures

From: Daniel Shahaf <d.s_at_daniel.shahaf.name>
Date: Wed, 07 Aug 2019 23:39:26 +0000

I'd like to reference and summarize some relevant mails from private@:

[[[
Date: Fri, 29 Mar 2013 07:07:12 +0300
From: Daniel Shahaf
To: private_at_subversion.apache.org
Subject: PGP encrypting pre-notification recipients
Message-ID: <20130329040712.GA2958_at_lp-shahaf.local>
]]]

tl;dr Should we PGP-encrypt the pre-notification emails?

[[[
Date: Wed, 7 Aug 2013 11:38:36 +0300
From: Daniel Shahaf
To: private_at_subversion.apache.org
Subject: Security patches release process
Message-ID: <20130807083836.GF3007_at_lp-shahaf.local>
]]]

tl;dr Describes the process we used. Proposes an alternative that doesn't use
security-by-obscurity: basically, to pre-notify and release a signed .diff file
in lieu of a tarball. The .diff and .diff.asc would be subject to the same
substantive and formal requirement as any other release artifact: voting,
detached PGP signature, distributed on the mirrors, etc. (The email lists that
under "v3".) It's based on our historical process of preparing tarballs and
voting on them in private, tarballs that differ from the preceding release by
exactly the security patch and nothing else. (Example: diff 1.5.6 to 1.5.7.)

[[[
Date: Sat, 12 Jan 2019 15:17:17 +0000
From: Daniel Shahaf
To: private_at_subversion.apache.org
Subject: Re: A volunteer to announce and close the fixed security issues?
Message-Id: <1547306237.108755.1632733392.3E962CF9_at_webmail.messagingengine.com>
]]]

tl;dr Writes down some of the "How to retroactively notify a security release" process.
Received on 2019-08-08 01:39:34 CEST

This is an archived mail posted to the Subversion Dev mailing list.