Add SECURITY.md (7.8.x) #3128
Add SECURITY.md (7.8.x) #3128
Conversation
Either here or in the Changelog. Perhaps Changelog would be better... otherwise if I wanted to install version And about the text.... how I wish I could write like this - even in Portuguese. +1 to all, with one minor comment only. I think most Open Source projects have at least one private channel for security bugs. If one user in - say - New Zealand finds a security bug that could be used to compromise environments in other sites, then I think disclosing it publicly in a mailing list or issue tracker wouldn't be good to the other sites. Though there is also less transparency this way, and some projects (Kernel I believe) treat security bugs more like normal bugs, unless it is one of those global bugs. I think it is possible to find bugs in the Kernel that reporters detail could be a security issue (but in the Kernel, possibly most memory bugs could be security bugs I think...). But I think site admins might have a better opinion on how they would like to see security issues being disclosed in the project. I am happy to have a way to tell users what to do in such case 😁 |
|
@kinow - good points; I'll give email addresses for disclosure, and move the Jinja2 note to the change log. |
|
Tweaked as discussed above. |
|
@MartinRyan - you probably need to be aware of this one (particularly the comment on the Jinja2 CVE) in case your security colleagues ask ... |
Close cylc/cylc-admin#11
Based on https://github.com/standard/standard/blob/master/SECURITY.md
For 7.8.x adds a note on the recent Jinja2 CVE and why it is not an issue for Cylc.
@kinow - do you think this is the appropriate place for such "alerts"?