Github has started supporting SECURITY.md to contain a project's security policy. Right now, the only place to find this project's security contact is on bitcoincore.org. Adding this information to the repository makes it easier to find as SECURITY.md becomes a standard.
This is copied almost exactly from https://bitcoincore.org/en/contact/ and based on conversations with EthanHeilman.
In the official github SECURITY.md template they have the a "versions supported" section and a ## Reporting a Vulnerability header. I don't see the versions table as necessary, but there might be some use to including the ## Reporting a Vulnerability header as it would keep the same pattern as the default template.
ACK. I think this is a great idea, thank you.
ACK.
Github's (sparse) documentation for SECURITY.md can be seen here: https://help.github.com/en/articles/adding-a-security-policy-to-your-repository
It's intended to provide a standard place for these policies. By merging this here, I suspect we'll see a trickle effect as our downstreams rebase and insert their own policies.
Also, it's worth mentioning that @narula pitched this idea to Github a few months ago (we were calling it DISCLOSURE.md then). Something might've been in the works already, but the nudge couldn't have hurt. Thanks!
ACK c5fa63bd8abf2c96955230b1800121c1dd16ede9
Welcome as a contributor @narula! :-)
utACK https://github.com/bitcoin/bitcoin/pull/16140/commits/c5fa63bd8abf2c96955230b1800121c1dd16ede9
So this will also populate this tab:
utACK https://github.com/bitcoin/bitcoin/pull/16140/commits/c5fa63bd8abf2c96955230b1800121c1dd16ede9
Compared GPG fingerprints to those on the bitcoincore.org.
Rebased and added ## Reporting a vulnerability line to address @EthanHeilman's point about making this consistent with default Github formatting.
ACK c6d05885d7686d4bbe2eec33281b17bd32fe27b3 (verified the keys)
utACK c6d0588.
Concept ACK. I think we should also move the EOL policy from the website into the repo, but that might be also good for a follow up pull request.
From the template:
## Supported Versions
Use this section to tell people about which versions of your project are
currently being supported with security updates.
| Version | Supported |
| ------- | ------------------ |
| 5.1.x | :white_check_mark: |
| 5.0.x | :x: |
| 4.0.x | :white_check_mark: |
| < 4.0 | :x: |
@MarcoFalke I could add something like the following to comply with the suggested format. It's a bit annoying to have the same information in two places...
## Supported Versions
| Version | Supported |
| ------- | ------------------ |
| 0.18 | :white_check_mark: |
| 0.17 | :white_check_mark: |
| 0.16 | :white_check_mark: |
| 0.15 | :white_check_mark: |
| < 0.15 | :x: |
Github has started supporting SECURITY.md to contain a project's
security policy. Right now, the only place to find this project's
security contact is on bitcoincore.org. Adding this information to the
repository makes it easier to find as SECURITY.md becomes a standard.
This is copied almost exactly from https://bitcoincore.org/en/contact/
and based on conversations with Ethan Heilman.
Added Supported Versions. Pending re-ACKs on the GPG keys with the new commit hash, is this good to merge?
ACK fdd7fa19a9fdc6f15208280201e0ce186e35a9c8
ACK fdd7fa19a9fdc6f15208280201e0ce186e35a9c8
How do we plan to maintain the accuracy of this file's contents in release branches?
@sipa Can updating this file be folded into the release process?
I think this file is only important in master, because that's where github (as I understand) looks to display it. So maybe it'd make sense to remove it when branching.
(there's some other process related documents with the same problem, where the answer is basically always 'look at the version in master', like release-proces.md, developer-notes.md and maybe more)
ACK fdd7fa19a9fdc6f15208280201e0ce186e35a9c8
Verified the fingerprints match bitcoincore.org.