On Mon, Jan 05, 2015 at 06:01:14PM +0100, Thomas Graf wrote:
> On 01/05/15 at 04:23pm, Jiri Benc wrote:
> > On Fri, 2 Jan 2015 17:57:14 -0800, Ben Pfaff wrote:
> > > 1) Consider provisions for ensuring privacy and integrity of
> > > communications around disclosure (eg, use PGP for all comms).
> >
> > That never hurts. I'd argue that's not strictly required though, as the
> > code speaks for itself and anybody can verify the patch does what it
> > does and the reasoning is correct.
>
> I agree and I would put the emphasize on the communication around the
> disclosure. Requiring GPG for all reports is pretty much pointless
> without a previous web of trust between the team and the reporter.
>
> We should however sign the messages when we disclose the vulnerability
> publicly.
OK, I added a paragraph to the introduction:
We encourage everyone involved in the security process to GPG-sign
their emails. We additionally encourage GPG-encrypting one-on-one
conversations as part of the security process.
and to "Step 5: Full Disclosure":
The security advisory should be GPG-signed by a security team member
with a key that is in a public web of trust.
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
