Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a security policy #79

Open
4 tasks
Tracked by #281
TravisCarden opened this issue Mar 1, 2023 · 5 comments
Open
4 tasks
Tracked by #281

Create a security policy #79

TravisCarden opened this issue Mar 1, 2023 · 5 comments
Milestone
v2.0.0

Comments

@TravisCarden
Copy link
Collaborator

TravisCarden commented Mar 1, 2023
edited
Loading

According to the Core dependency release cycles, security information, and evaluation criteria, dependencies are evaluated for their security policies before being added to Drupal core. To facilitate adding this library (see Add php-tuf/composer-stager to core dependencies on Drupal.org), we need to define a security policy.
@TravisCarden TravisCarden mentioned this issue Mar 1, 2023
Closed
13 tasks
@TravisCarden TravisCarden changed the title Define a security policy Define a security policy for this project Mar 1, 2023
@effulgentsia
Copy link

We'll want to reference https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/reporting-a-security-issue, but we'll need some custom language, since for example, the answer at the bottom there for "What if the vulnerability affects a project that is not hosted on Drupal.org?" would be incorrect for Composer Stager and the other PHP-TUF repos.

@effulgentsia
Copy link

Let's start with a pull request with the following SECURITY.md:

Security Policy
===============

DO NOT PUBLISH SECURITY REPORTS PUBLICLY.

Security advisories for this project are coordinated by the Drupal Security Team.

If you found any issues that might have security implications,
please send a report to security[at]drupal.org

The full [Security Policy][1] is described in Drupal's official documentation.

  [1]: https://www.drupal.org/drupal-security-team

I based the above on https://raw.githubusercontent.com/symfony/.github/main/SECURITY.md.

Let's not merge such a PR though until it's been reviewed by Drupal's security team.

@TravisCarden TravisCarden mentioned this issue Mar 3, 2023
Merged
@TravisCarden
Copy link
Collaborator Author

TravisCarden commented Mar 3, 2023
edited
Loading

Here's the PR, @effulgentsia: #85. I requested review from the security team at https://drupal.slack.com/archives/C5B7P7294/p1677870014372739.

@TravisCarden TravisCarden changed the title Define a security policy for this project Create a security policy Mar 3, 2023
@TravisCarden
Copy link
Collaborator Author

I assume this should be a stable blocker, @effulgentsia.

@TravisCarden TravisCarden added this to the v2.0.0 milestone Sep 14, 2023
@effulgentsia
Copy link

We need to do this to get Composer Stager into Drupal, but I don't think it needs to block a stable 2.0.0 release of Composer Stager, since adding a SECURITY.md file and other docs wouldn't disrupt Composer Stager's codebase in any way. Keeping it in the v2.0.0 milestone as something we'd like to focus on and ideally get done before 2.0.0 is fine though.

@TravisCarden TravisCarden mentioned this issue Sep 19, 2023
Open
3 tasks
@TravisCarden TravisCarden mentioned this issue Nov 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.0.0
Development

No branches or pull requests
2 participants
@effulgentsia @TravisCarden