New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security: include CVE IDs in pre-announcements #56547
Comments
No objection here. It seems inevitable that we'll eventually need to add/remove a CVE between the pre-announcement and the release, but that is no worse than what we do now where we just share nothing. |
Change https://go.dev/cl/470795 mentions this issue: |
Change https://go.dev/cl/470757 mentions this issue: |
For minor security releases, include a list of CVEs that will be fixed in the release. These CVEs will be restricted until the release happens, so no information is leaked, but provides a way for consumers to track things. Updates golang/go#56547 Change-Id: Ifcff22da822a7e4c4a54c76ce3c4b870d729c7ca Reviewed-on: https://go-review.googlesource.com/c/build/+/470795 Run-TryBot: Roland Shoemaker <roland@golang.org> Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
To include that we put CVE IDs in the pre-announcement email. Updates golang/go#56547 Change-Id: I113873339c93e8a33e63d15a471b800beb09e390 Reviewed-on: https://go-review.googlesource.com/c/website/+/470757 Reviewed-by: Julie Qiu <julieqiu@google.com> Run-TryBot: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org>
This was implemented earlier, and exercised for the first time today! 🎉 https://groups.google.com/g/golang-announce/c/71Wg3N0IZk0 @rolandshoemaker Okay to close this issue or was there something more you're keeping it open for? |
👍 nothing else to do here. |
In the lead-up to the (then downgraded) CRITICAL OpenSSL vulnerability, there was some discussion of how it would be useful to have the CVE IDs included in security pre-announcements, to pre-fill triage issues and docs without using made up names.
A valid objection is that things sometimes change between the pre-announcement and publication, or sometimes the pre-announcement is sent before the CVE ID is assigned. I think that's fine, because this can be a best-effort policy without causing collateral damage. If the CVE changes, it can be called out in the release announcement. If one is not available, it can be stated as so in the pre-announcement.
I propose that pre-announcements per the Security Policy start including the CVE IDs when available.
/cc @golang/security @golang/release
The text was updated successfully, but these errors were encountered: