Page MenuHomeMiraheze

Write docs for GHSA
Open, HighPublic

Description

Apparently no one knows how to use the GHSA interface to do private security patches and such.

Write docs

Event Timeline

RhinosF1 triaged this task as High priority.Wed, Apr 28, 20:47
RhinosF1 created this task.

This could probably be lowered to normal priority, no?

In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

I could be wrong, but I think what @Void is suggesting with this comment is that the GitHub docs for creating security advisories in GitHub exist and are, presumably, fairly adequate, so there's not a real need to create our own tech docs?

In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

I could be wrong, but I think what @Void is suggesting with this comment is that the GitHub docs for creating security advisories in GitHub exist and are, presumably, fairly adequate, so there's not a real need to create our own tech docs?

You’d think that, but when dealing with an incident, it was clear there was insufficient documentation as this was pushed twice publicly for review before anyone figured out how to do this correctly

What John said. From the 3 times I've done it before, it seemed straight forward but no one managed it yesterday.

In T7214#143264, @John wrote:
In T7214#143206, @Void wrote:

Our main focus is on the allowing others to view and managing private patches.

I could be wrong, but I think what @Void is suggesting with this comment is that the GitHub docs for creating security advisories in GitHub exist and are, presumably, fairly adequate, so there's not a real need to create our own tech docs?

You’d think that, but when dealing with an incident, it was clear there was insufficient documentation as this was pushed twice publicly for review before anyone figured out how to do this correctly

Ah, okay, makes sense then. :)

For clarity, my comment was more along the lines of incorporate the GitHub documentation into our processes instead of rewriting what was already there. I may have also been asking for clarification if my link was what GHSA was referring to, as it is not immediately clear what that abbreviation stands for. Either way, having a clear security policy for working on security patches is definitely a good idea.

As a site note, I don't particularly like how GitHub requires a security advisory to be created (requires elevated access to repository), in order for a private branch to be utilized. But, that's not a problem for us to resolve.