[systemd-devel] GithHub / private repos
Lennart Poettering
lennart at poettering.net
Thu Jan 31 13:59:05 UTC 2019
On Mi, 30.01.19 23:10, Alex Dzyoba (alex at dzyoba.com) wrote:
> If we're actually discussing private repos for reporting security issues then
> Github product is not helpful. It seems that most of the projects use private
> mailing lists for that. For example, Linux kernel has security at kernel.org and
> another one for coordination with distributions - more details here
> https://www.kernel.org/doc/html/v4.18/admin-guide/security-bugs.html
>
> So I think something like systemd-security at lists.freedesktop.org is
> the way to go.
Well, sure, but mailing lists suck for tracking tickets.
We currently request people to submit security issues via distro's bug
trackers. See this:
https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports
I am pretty sure that that's still better than just having an ML in
place for that instead.
We also have a private GitLab copy of the GitHub repo now, which we
add people to that report security issues. But quite frankly it sucks,
since it lacks the CI integration and stuff.
It's kinda sad that GitHub doesn't really have anything in this area
to make this easier. I mean, we can't be the only project in the world
which would like to handle security issues privately and on the same
platform as everything else...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list