On Wed, Jan 24, 2024 at 07:20:34AM -0800, Vincent Zimmer wrote: > I agree on your sentiment about Bugzilla (bz) not being ideal for this. > This space has been a multi-year journey from usrt-based tickets, bespoke > advisories, bz, etc into today's world of tianocore infosec, tianocore as > its own CVE Naming Authority (CNA) and working to leverage the extant > features of github. On that latter point, there is work afoot to evolve > from the present bz-based process > https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues > to a github-based one > https://github.com/tianocore/tianocore.github.io/wiki/GHSA-GitHub-Security-Advisories-Proceess-(Draft). > Things are in transition now and I'd echo Doug's sentiment that getting > more feedback and engagement from the community would be valuable in > getting the various parts tested, evolved, documented, reviewed, etc.
The GHSA process certainly is an improvement over using patches attached to bugzilla. There still is room for improvement though. Community engagement is a problem indeed, and my overall impression is that it is even worse than on the edk2 devel list. I think part of the problem might be lack of notifications. I can't remember being notified in case the "tianocore infosec team" group is added to a new GHSA, so it's hard to learn about new advisories ... take care, Gerd -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114332): https://edk2.groups.io/g/devel/message/114332 Mute This Topic: https://groups.io/mt/103913088/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
