security: include CVE IDs in pre-announcements #56547
Labels
Milestone
Comments
mdempsky
added
the
NeedsDecision
|
No objection here. It seems inevitable that we'll eventually need to add/remove a CVE between the pre-announcement and the release, but that is no worse than what we do now where we just share nothing. |
|
Change https://go.dev/cl/470795 mentions this issue: |
|
Change https://go.dev/cl/470757 mentions this issue: |
dmitshur
added
NeedsFix
gopherbot
pushed a commit
to golang/build
that referenced
this issue
Feb 23, 2023
For minor security releases, include a list of CVEs that will be fixed in the release. These CVEs will be restricted until the release happens, so no information is leaked, but provides a way for consumers to track things. Updates golang/go#56547 Change-Id: Ifcff22da822a7e4c4a54c76ce3c4b870d729c7ca Reviewed-on: https://go-review.googlesource.com/c/build/+/470795 Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot
pushed a commit
to golang/website
that referenced
this issue
Feb 23, 2023
To include that we put CVE IDs in the pre-announcement email. Updates golang/go#56547 Change-Id: I113873339c93e8a33e63d15a471b800beb09e390 Reviewed-on: https://go-review.googlesource.com/c/website/+/470757 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
|
This was implemented earlier, and exercised for the first time today! 🎉 https://groups.google.com/g/golang-announce/c/71Wg3N0IZk0 @rolandshoemaker Okay to close this issue or was there something more you're keeping it open for? |
|
👍 nothing else to do here. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In the lead-up to the (then downgraded) CRITICAL OpenSSL vulnerability, there was some discussion of how it would be useful to have the CVE IDs included in security pre-announcements, to pre-fill triage issues and docs without using made up names.
A valid objection is that things sometimes change between the pre-announcement and publication, or sometimes the pre-announcement is sent before the CVE ID is assigned. I think that's fine, because this can be a best-effort policy without causing collateral damage. If the CVE changes, it can be called out in the release announcement. If one is not available, it can be stated as so in the pre-announcement.
I propose that pre-announcements per the Security Policy start including the CVE IDs when available.
/cc @golang/security @golang/release
The text was updated successfully, but these errors were encountered: