Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Proposed SECURITY-PROCESS updates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Gustafsson via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 9 Mar 2023 20:37:51 +0100
> On 9 Mar 2023, at 18:18, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 9 Mar 2023, Daniel Gustafsson wrote:
>
>> This opens us up to the risk that we've misjudged the severity, and we publish what we think is Low but in reality should've been High (or higher). Ideally this shouldn't happen, and thus the risk is low, but known risks are better than unknown. If we are on the fence regarding severity it should be fine to keep it hidden as per the process for High.
>
> Ah yes, good point. We should be fairly sure of the severity level before we make a (public) PR to fix any security flaw.
>
> Do you think it is worth adding words about that in the SECURITY-PROCESS document?
I think the current wording in your PR suffice as it's "vague" enough to allow
the security team to make the call on a case by case basis.
Date: Thu, 9 Mar 2023 20:37:51 +0100
> On 9 Mar 2023, at 18:18, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Thu, 9 Mar 2023, Daniel Gustafsson wrote:
>
>> This opens us up to the risk that we've misjudged the severity, and we publish what we think is Low but in reality should've been High (or higher). Ideally this shouldn't happen, and thus the risk is low, but known risks are better than unknown. If we are on the fence regarding severity it should be fine to keep it hidden as per the process for High.
>
> Ah yes, good point. We should be fairly sure of the severity level before we make a (public) PR to fix any security flaw.
>
> Do you think it is worth adding words about that in the SECURITY-PROCESS document?
I think the current wording in your PR suffice as it's "vague" enough to allow
the security team to make the call on a case by case basis.
-- Daniel Gustafsson -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-09