[PATCH] docs: Add a basic security document
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position.
Signed-off-by: Tom Rini trini@konsulko.com --- doc/develop/index.rst | 1 + doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 doc/develop/security.rst
diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb115..04322efe59fd 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -15,6 +15,7 @@ General process release_cycle system_configuration + security sending_patches
Implementation diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 000000000000..84b130646f31 --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+: + +Handling of security vulnerabilities +==================================== + +The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible. + +Contact +------- + +The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any +relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`. + +CVE assignment +-------------- + +The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees. + +Non-disclosure agreements +------------------------- + +The U-Boot project is not a formal body and therefore unable to enter any +non-disclosure agreements.
On 11/3/22 19:25, Tom Rini wrote:
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position.
Signed-off-by: Tom Rini trini@konsulko.com
doc/develop/index.rst | 1 + doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 doc/develop/security.rst
diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb115..04322efe59fd 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -15,6 +15,7 @@ General process release_cycle system_configuration
- security
Should we get this into alphabetic order?
sending_patchesImplementation diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 000000000000..84b130646f31 --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+:
+Handling of security vulnerabilities +====================================
+The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible.
+Contact +-------
+The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any +relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`.
+CVE assignment +--------------
+The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees.
+Non-disclosure agreements +-------------------------
+The U-Boot project is not a formal body and therefore unable to enter any +non-disclosure agreements.
Otherwise Reviewed-by: Heinrich Schuchardt xypron.glpk@gmx.de
On Thu, Nov 03, 2022 at 09:05:59PM +0100, Heinrich Schuchardt wrote:
On 11/3/22 19:25, Tom Rini wrote:
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position.
Signed-off-by: Tom Rini trini@konsulko.com
doc/develop/index.rst | 1 + doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 doc/develop/security.rst
diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb115..04322efe59fd 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -15,6 +15,7 @@ General process release_cycle system_configuration
- security
Should we get this into alphabetic order?
Whoops, can you fix when applying please?
sending_patchesImplementation diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 000000000000..84b130646f31 --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+:
+Handling of security vulnerabilities +====================================
+The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible.
+Contact +-------
+The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any +relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`.
+CVE assignment +--------------
+The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees.
+Non-disclosure agreements +-------------------------
+The U-Boot project is not a formal body and therefore unable to enter any +non-disclosure agreements.
Otherwise Reviewed-by: Heinrich Schuchardt xypron.glpk@gmx.de
Hi Tom,
On Thu, 3 Nov 2022 at 12:25, Tom Rini trini@konsulko.com wrote:
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position.
Signed-off-by: Tom Rini trini@konsulko.com
doc/develop/index.rst | 1 + doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) create mode 100644 doc/develop/security.rst
Reviewed-by: Simon Glass sjg@chromium.org
diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb115..04322efe59fd 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -15,6 +15,7 @@ General process release_cycle system_configuration
- security sending_patches
Implementation diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 000000000000..84b130646f31 --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+:
+Handling of security vulnerabilities +====================================
+The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible.
+Contact +-------
+The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
link to patman docs?
:doc:`doc/develop/sending_patches`
+relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`.
+CVE assignment +--------------
+The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees.
+Non-disclosure agreements +-------------------------
+The U-Boot project is not a formal body and therefore unable to enter any
+non-disclosure agreements.
2.25.1
Regards, Simon
participants (3)
-
Heinrich Schuchardt -
Simon Glass -
Tom Rini