diff options
author | Silvan Mosberger <silvan.mosberger@tweag.io> | 2023-07-25 18:34:15 +0200 |
---|---|---|
committer | Silvan Mosberger <silvan.mosberger@tweag.io> | 2023-08-13 22:04:56 +0200 |
commit | 129da60f578723edc9ca6405ca7f53b31afd1875 (patch) | |
tree | 5eec8ba21fac64b6c551230cf068a3b858c4b92a /pkgs/README.md | |
parent | 86f14e461ef18bf5c0dbc63f46fdc5d13d183628 (diff) |
doc/vulnerability-roundup: Rough move to new contribution doc files
No content was changed, new titles are wrapped with () to signal that they will need to be decided on in a future commit. Section in the manual have been preserved with a simple redirect to GitHub, the proper anchors should be filled out in a future commit once the new section names are decided.
Diffstat (limited to 'pkgs/README.md')
-rw-r--r-- | pkgs/README.md | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/pkgs/README.md b/pkgs/README.md index 8559d9bee0271..774b738f688bf 100644 --- a/pkgs/README.md +++ b/pkgs/README.md @@ -765,3 +765,49 @@ Security fixes are submitted in the same way as other changes and thus the same If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. + +### Vulnerability Roundup {#chap-vulnerability-roundup} + +#### Issues {#vulnerability-roundup-issues} + +Vulnerable packages in Nixpkgs are managed using issues. +Currently opened ones can be found using the following: + +[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) + +Each issue correspond to a vulnerable version of a package; As a consequence: + +- One issue can contain several CVEs; +- One CVE can be shared across several issues; +- A single package can be concerned by several issues. + + +A "Vulnerability roundup" issue usually respects the following format: + +```txt +<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> + +<list of related CVEs, their CVSS score, and the impacted NixOS version> + +<list of the scanned Nixpkgs versions> + +<list of relevant contributors> +``` + +Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. + + +#### Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing} + +**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). +If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. + +If you are investigating a "true positive": + +- Find the earliest patched version or a code patch in the CVE details; +- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? + - **No**: + - [Submit a security fix](#submitting-changes-submitting-security-fixes); + - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches); + - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches). +- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s). |