diff options
| author | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:33 +0000 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2022-05-31 09:59:57 +0000 |
| commit | 9ff36293d1e428cd7bf03e8d4b03611b6d361c28 (patch) | |
| tree | 1ab51a42b868c55b83f6ccdb80371b9888739dd9 /doc/contributing/vulnerability-roundup.chapter.md | |
| parent | 1c4fcd0d4b0541e674ee56ace1053e23e562cc80 (diff) | |
| parent | ddc3c396a51918043bb0faa6f676abd9562be62c (diff) | |
| download | nixpkgs-archive.tar nixpkgs-archive.tar.gz nixpkgs-archive.tar.bz2 nixpkgs-archive.tar.lz nixpkgs-archive.tar.xz nixpkgs-archive.tar.zst nixpkgs-archive.zip | |
Last good Nixpkgs for Weston+nouveau? archive
I came this commit hash to terwiz[m] on IRC, who is trying to figure out what the last version of Spectrum that worked on their NUC with Nvidia graphics is.
Diffstat (limited to 'doc/contributing/vulnerability-roundup.chapter.md')
| -rw-r--r-- | doc/contributing/vulnerability-roundup.chapter.md | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/doc/contributing/vulnerability-roundup.chapter.md b/doc/contributing/vulnerability-roundup.chapter.md new file mode 100644 index 00000000000..d451420f981 --- /dev/null +++ b/doc/contributing/vulnerability-roundup.chapter.md @@ -0,0 +1,45 @@ +# Vulnerability Roundup {#chap-vulnerability-roundup} + +## Issues {#vulnerability-roundup-issues} + +Vulnerable packages in Nixpkgs are managed using issues. +Currently opened ones can be found using the following: + +[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) + +Each issue correspond to a vulnerable version of a package; As a consequence: + +- One issue can contain several CVEs; +- One CVE can be shared across several issues; +- A single package can be concerned by several issues. + + +A "Vulnerability roundup" issue usually respects the following format: + +```txt +<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub> + +<list of related CVEs, their CVSS score, and the impacted NixOS version> + +<list of the scanned Nixpkgs versions> + +<list of relevant contributors> +``` + +Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package. + + +## Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing} + +**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable). +If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check. + +If you are investigating a "true positive": + +- Find the earliest patched version or a code patch in the CVE details; +- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch? + - **No**: + - [Submit a security fix](#submitting-changes-submitting-security-fixes); + - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches); + - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches). +- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s). |