[Gt-eos] how to handle security issues

Frank Scheiner scheiner at hlrs.de
Tue May 21 15:52:58 CEST 2019


Hi Mischa,

On 5/19/19 13:34, Mischa Salle via Gt-eos wrote:
> Hi all,
> 
> we don't currently have a secure channel for discussing vulnerabilities,
> neither a bugtracker, nor even a secure email address.
> What are your thoughts on this?
> EGI is providing us kindly with the announce email address as you know:
> announcement at gridcf.org so the question is whether we should ask them
> also for a security at gridcf.org list, which unlike this list (gt-eos)
> should not be publicly archived...

Agreed. If EGI can arrange that, we would be covered.

> A private bugtracker might be a useful tool too. Not sure how we should
> arrange that though?

E.g. GitLab allows for confidential issues ([1]), but creating a 
confidential issue still requires to check a box and maybe also to 
choose a generic issue title. Not to speak of a GitLab account.

[1]: https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html

Using an email address with private archive would be simpler to use and 
reporters can easily interact with the "issue" by just replying to an 
email and we need to communicate with them anyhow.

Cheers,
Frank

-- 
Frank Scheiner

High Performance Computing Center Stuttgart (HLRS)
Department Project User Management & Accounting

Email: scheiner at hlrs.de
Phone: +49 711 685 68039

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2293 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20190521/d8b3e1ae/attachment.p7s>


More information about the discuss mailing list