Stream: wg-secure-code

Topic: Disclosure policy


DPC (Oct 13 2019 at 15:53, on Zulip):

So say suppose there is a vulnerability/advisory by rust sec, how do we, as crate maintainers go about fixing it?

For context, for a crate I co-maintain, there was a vulnerability and one of the co-maintainers posted it on https://www.reddit.com/r/rust/comments/dguqt3/vulnerability_in_sodiumoxide_generichashdigesteq/.

But I feel this may not be the right thing. Any pointers?

Tony Arcieri (Oct 13 2019 at 17:04, on Zulip):

we've talked about putting every advisory on Reddit /cc @Shnatsel

Tony Arcieri (Oct 13 2019 at 17:04, on Zulip):

seems good to me

Alex Gaynor (Oct 13 2019 at 17:06, on Zulip):

Helping make sure folks are running cargo-audit in CI, get github to set notices/PRs, and have the thing that audits crates.io running and causing people to send PRs seems more important than publicizing individual vulns, IMO.

DPC (Oct 13 2019 at 19:09, on Zulip):

Thanks @Tony Arcieri

Shnatsel (Oct 13 2019 at 20:08, on Zulip):

Posting vulnerabilities increases visibility for the entire RustSec effort, which is why I suggested them. It is otherwise not particularly discoverable other than through word-of-mouth.
Alerting major dependents directly sounds like a good thing too. https://gitlab.com/zachreizner/crates-audit lets you find all crates affected, including transitive dependents

Shnatsel (Oct 13 2019 at 20:09, on Zulip):

Also, CI is really not the place to run cargo-audit - it should not block development, but it should prompt you to rebuild all your binaries used in production.

Tony Arcieri (Oct 13 2019 at 20:12, on Zulip):

I like running it in CI. Not everything you run in CI necessarily needs to block a merge

Tony Arcieri (Oct 13 2019 at 20:12, on Zulip):

but also you could run it on a schedule

DPC (Oct 13 2019 at 21:37, on Zulip):

So what should be the next step? Yank all affected releases?

Tony Arcieri (Oct 13 2019 at 21:53, on Zulip):

there's been a lot of back and forth on that one. I'd personally recommend it, especially for a security vulnerability

Tony Arcieri (Oct 13 2019 at 21:53, on Zulip):

some people complain it's too disruptive, but I hope they don't complain it's too disruptive in this case

Shnatsel (Oct 13 2019 at 22:07, on Zulip):

@DPC Oh yes, yanking all affected releases is a really good idea. If there are some releases that are not semver-compatible with the fixed version and people still use them, backport the fix to that series and make a new release there, then yank everything affected.

Shnatsel (Oct 13 2019 at 22:20, on Zulip):

The complaints about yanking were for cases when people don't provide a semver-compatible version with the fix

Last update: Nov 11 2019 at 22:00UTC