Thread overview
Security point of contact
Jun 09, 2018
Cym13
Jun 09, 2018
Seb
Jun 09, 2018
Cym13
Jun 09, 2018
Cym13
Jun 10, 2018
Seb
Jun 10, 2018
Vladimir Panteleev
Jun 10, 2018
Cym13
Jun 28, 2018
Seb
June 09, 2018
Yop.

I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly.

Who should I contact?

I'd very very much like to have something like a security@dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.
June 09, 2018
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
> Yop.
>
> I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly.
>
> Who should I contact?

Sönke, Martin und myself.

https://github.com/s-ludwig (look in the DUB git log for his email address)
https://github.com/MartinNowak
https://github.com/wilzbach


> I'd very very much like to have something like a security@dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.

I will try to get this email address setup.
At least we already have an official GPG keyring:

https://dlang.org/gpg_keys.html
June 09, 2018
On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>> Yop.
>>
>> I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly.
>>
>> Who should I contact?
>
> Sönke, Martin und myself.
>
> https://github.com/s-ludwig (look in the DUB git log for his email address)
> https://github.com/MartinNowak
> https://github.com/wilzbach

Thank you, the mail should be in your box already.

>> I'd very very much like to have something like a security@dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.
>
> I will try to get this email address setup.
> At least we already have an official GPG keyring:
>
> https://dlang.org/gpg_keys.html

Having the address will be a very good start, thank you.

For comparison the PHP project has two things that I enjoyed when disclosing bugs:

1. Security guidelines (https://wiki.php.net/security) that clearly state
   what they consider a vulnerability and what isn't. I find it very well
   designed and it could be an inspiration for a D security guideline even
   though we're not having too many vulnerabilities disclosed right now as
   far as I know.

2. They configured their bugzilla so that when the category "security" is
   used the bug is made private and only the proper team is put in copy. I
   don't know how easy it is so an email address seems more practical right
   now I think. Note that this is in complement to security@php.net which
   they use mostly for security related talk but not bug reports.

Anyway, I'm not sure we need all this right now, but I'd rather start the discussion early.
June 09, 2018
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:
> Thank you, the mail should be in your box already.

Well, apparently gmail considered it spam, so it shouldn't be in your box. But I'm sure Sönke or Martin will be able to transfer it.
June 10, 2018
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
> Who should I contact?
>
> I'd very very much like to have something like a security@dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.

Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.

June 10, 2018
On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:
> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>> Who should I contact?
>>
>> I'd very very much like to have something like a security@dlang.org for such things, it's not the first and likely not the last time this need arises, and the lack of a clear procedure doesn't encourage coordinated disclosure.
>
> Less specifically, it depends on the component / property. There is the https://wiki.dlang.org/People page, which has a list of points of contact.

This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person.

Furthermore the list doesn't provide any direct way to contact any of those people, which isn't surprising but adds friction. In the best case the email is visible on their github account, in the worst you need to look at commits and hope the email is still valid and the one the person expects to be contact with.

The alternatives are 1) opening a public issue on issues.dlang.org, which I did many times where I judged that it was acceptable given the issue but I'm never at ease doing it, or 2) asking as I just did.

I can say with certainty that the current process is a deterrent. In the past I decided not to discuss some issues because of it (hopefully not to important otherwise I'd have pressed the matter and remember what it was about, but judging importance isn't easy).

Security is the thing nobody wants to have to think about, but it's important nonetheless, so I think it's worth improving the process on that point. After all, all issues found and disclosed by external people are issues you don't have to find yourself ;)
June 10, 2018
On Saturday, 9 June 2018 at 23:19:34 UTC, Cym13 wrote:
> On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
>> On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
>>> Yop.
>>>
>>> I need to discuss an issue related to dub. No need to alarm everyone yet, that only concerns 1.3% of dub projects, but still it's something that shouldn't be taken lightly.
>>>
>>> Who should I contact?
>>
>> Sönke, Martin und myself.
>>
>> https://github.com/s-ludwig (look in the DUB git log for his email address)
>> https://github.com/MartinNowak
>> https://github.com/wilzbach
>
> Thank you, the mail should be in your box already.

Sorry - I never got a mail :/
Which address did you use?
In doubt, this is my official one:

https://seb.wilzba.ch/contact/
June 28, 2018
On Sunday, 10 June 2018 at 00:59:11 UTC, Cym13 wrote:
> On Sunday, 10 June 2018 at 00:31:55 UTC, Vladimir Panteleev wrote:
>> [...]
>
> This is the thing exactly, first of all the idea that the main developer of the part of the project impacted should be the one receiving the report is sound but far from obvious. In many countries there is a (stupid) legal risk associated with vulnerability disclosure, so as a researcher you'd rather be sure that you're talking to the right person.
>
> [...]

Another step at setting such a security point of contact up:

https://github.com/dlang/dlang.org/pull/2398

Input is welcome.