doc/vulnerability-roundup: Rough move to new contribution doc files

+50 -38

2 changed files

expand all

doc

contributing

vulnerability-roundup.chapter.md

pkgs

README.md

+4 -38

doc/contributing/vulnerability-roundup.chapter.md

··· 1 1 # Vulnerability Roundup {#chap-vulnerability-roundup} 2 2 3 - ## Issues {#vulnerability-roundup-issues} 4 - 5 - Vulnerable packages in Nixpkgs are managed using issues. 6 - Currently opened ones can be found using the following: 7 - 8 - [github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 9 - 10 - Each issue correspond to a vulnerable version of a package; As a consequence: 11 - 12 - - One issue can contain several CVEs; 13 - - One CVE can be shared across several issues; 14 - - A single package can be concerned by several issues. 15 - 16 - 17 - A "Vulnerability roundup" issue usually respects the following format: 18 - 19 - ```txt 20 - <link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> 21 - 22 - <list of related CVEs, their CVSS score, and the impacted NixOS version> 23 - 24 - <list of the scanned Nixpkgs versions> 3 + This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md). 25 4 26 - <list of relevant contributors> 27 - ``` 5 + ## Issues {#vulnerability-roundup-issues} 28 6 29 - Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. 30 - 7 + This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md). 31 8 32 9 ## Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing} 33 10 34 - **Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). 35 - If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. 36 - 37 - If you are investigating a "true positive": 38 - 39 - - Find the earliest patched version or a code patch in the CVE details; 40 - - Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? 41 - - **No**: 42 - - [Submit a security fix](#submitting-changes-submitting-security-fixes); 43 - - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches); 44 - - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches). 45 - - When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s). 11 + This section has been moved to [pkgs/README.md](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md).

+46

pkgs/README.md

··· 765 765 If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. 766 766 767 767 Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. 768 + 769 + ### Vulnerability Roundup {#chap-vulnerability-roundup} 770 + 771 + #### Issues {#vulnerability-roundup-issues} 772 + 773 + Vulnerable packages in Nixpkgs are managed using issues. 774 + Currently opened ones can be found using the following: 775 + 776 + [github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 777 + 778 + Each issue correspond to a vulnerable version of a package; As a consequence: 779 + 780 + - One issue can contain several CVEs; 781 + - One CVE can be shared across several issues; 782 + - A single package can be concerned by several issues. 783 + 784 + 785 + A "Vulnerability roundup" issue usually respects the following format: 786 + 787 + ```txt 788 + <link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> 789 + 790 + <list of related CVEs, their CVSS score, and the impacted NixOS version> 791 + 792 + <list of the scanned Nixpkgs versions> 793 + 794 + <list of relevant contributors> 795 + ``` 796 + 797 + Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. 798 + 799 + 800 + #### Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing} 801 + 802 + **Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). 803 + If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. 804 + 805 + If you are investigating a "true positive": 806 + 807 + - Find the earliest patched version or a code patch in the CVE details; 808 + - Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? 809 + - **No**: 810 + - [Submit a security fix](#submitting-changes-submitting-security-fixes); 811 + - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches); 812 + - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches). 813 + - When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).

Configure Feed

Configure Feed