This is an archive of the discontinued LLVM Phabricator instance.

[docs] Describe reporting security issues on the chromium tracker.
ClosedPublic

Authored by ab on Apr 20 2021, 10:56 AM.

Details

Summary

Hey folks! While checking today's agenda I noticed this task slipped through the cracks from our discussion at the last sync, my bad!

To track security issues, we're starting with the chromium bug tracker
(using the llvm project there). We would prefer to use Github to match
its increasing usage for llvm. However, Github Security Advisories are
currently intended as a way for project owners to publicize their
security advisories, and isn't well-suited to reporting issues.
We may still want to have a more complicated process where we track
issues on the chromium tracker, and publicize them to the community
on Github.
Or, alternatively, tell people to reach out to us (without getting into
details) to file a security issue for them on Github directly, and give
them access to actually discuss the issue there.

This also moves the issue-reporting paragraph to the beginning of the
document, in part to make it more discoverable, in part to allow the
anchor-linking to actually display the paragraph at the top of the page.

Note that this doesn't update the concrete list of security-sensitive
areas, which is still an open item we may want to address before
actually landing this issue-reporting doc change.

We may want to move the list of security-sensitive areas next to the
issue-reporting paragraph as well, as it seems like relevant information
needed in the reporting process.

Finally, when describing the discission medium, this splits the topics
discussed into two: the concrete security issues, discussed in the
issue tracker, and the internal logistics, in our mailing list.
We may want to relax the nomination process to match our current usage
of patches vs the mailing list.

While there, add a SECURITY.md page linking to the relevant paragraph.

Diff Detail

Event Timeline

ab requested review of this revision.Apr 20 2021, 10:56 AM
ab created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2021, 10:56 AM

Thanks for this Ahmed!
This mostly looks good to me, I just have a few nit-comments inline.

llvm/docs/Security.rst
165

Is my understanding correct that github's security workflow work:

If so, maybe this sentence of paragraph could be made a bit more clear, stating that currently github doesn't support easily reporting a security issue non-publicly, and therefore we're using an alternative that does enable that, i.e. the chromium issue tracker?
The note about considering public disclosure using Github Security Advisories as a future improvement still makes sense to me.

168–172

I think that the LLVM security group discuss a lot of this publicly, as patch proposals to this document, or on the monthly public sync-up call.

Maybe it'd be a slightly more accurate reflection of reality to tweak the wording to:
"The LLVM security gorup also uses a private mailing list to discuss *confidential aspects* of LLVM security group logistics"?

Thanks for making the changes. I don't have anything to add over Kristof's comments.

Thanks for this!

llvm/docs/Security.rst
168–172

+1. Would it also be worth it to briefly reference the public sync-up call with a link to more info? (I wasn't aware of it, at least :) )

In addition to our `monthly public sync-up call`_ and discussions on public LLVM mailing lists, we use a private mailing list to discuss [...]
ab updated this revision to Diff 342532.May 3 2021, 1:40 PM
  • mention public discussions on lists/in sync-up, link to sync-up page
  • describe Github workflow as potentially useful for publicly disclosing resolved issues
ab marked 2 inline comments as done.May 3 2021, 1:44 PM

Thanks for the comments! Tweaks inline

llvm/docs/Security.rst
165

Yep, makes sense! I tried rewriting the paragraph from that angle

168–172

Yep, both suggestions make sense to me: I mentioned these, emphasized that most of it is public, and linked to the sync-up table.

Per email thread I will add the mailing-list URL, but as I was doing it here I realized it probably deserves prominence at the top of the page, so I need to rewrite one of the "reporting" paragraphs up there

kristof.beyls accepted this revision.May 7 2021, 5:38 AM

LGTM, thank you Ahmed!

This revision is now accepted and ready to land.May 7 2021, 5:38 AM
mattdr accepted this revision.May 11 2021, 3:25 PM

This puts the "how to report" instructions front and center, which is by far the most important thing in the doc. Thank you!

This revision was landed with ongoing or failed builds.May 19 2021, 3:22 PM
This revision was automatically updated to reflect the committed changes.
ab marked an inline comment as done.
ab added a comment.May 19 2021, 3:24 PM

Thanks all, now landed! I still need to find some time to rewrite the bits about the mailing lists and mention ours.