From 129da60f578723edc9ca6405ca7f53b31afd1875 Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Tue, 25 Jul 2023 18:34:15 +0200 Subject: doc/vulnerability-roundup: Rough move to new contribution doc files No content was changed, new titles are wrapped with () to signal that they will need to be decided on in a future commit. Section in the manual have been preserved with a simple redirect to GitHub, the proper anchors should be filled out in a future commit once the new section names are decided. --- pkgs/README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'pkgs/README.md') diff --git a/pkgs/README.md b/pkgs/README.md index 8559d9bee0271..774b738f688bf 100644 --- a/pkgs/README.md +++ b/pkgs/README.md @@ -765,3 +765,49 @@ Security fixes are submitted in the same way as other changes and thus the same If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as `master` and `release-*`. + +### Vulnerability Roundup {#chap-vulnerability-roundup} + +#### Issues {#vulnerability-roundup-issues} + +Vulnerable packages in Nixpkgs are managed using issues. +Currently opened ones can be found using the following: + +[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) + +Each issue correspond to a vulnerable version of a package; As a consequence: + +- One issue can contain several CVEs; +- One CVE can be shared across several issues; +- A single package can be concerned by several issues. + + +A "Vulnerability roundup" issue usually respects the following format: + +```txt +, + + + + + + +``` + +Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. + + +#### Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing} + +**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). +If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. + +If you are investigating a "true positive": + +- Find the earliest patched version or a code patch in the CVE details; +- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? + - **No**: + - [Submit a security fix](#submitting-changes-submitting-security-fixes); + - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches); + - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches). +- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s). -- cgit 1.4.1