-
-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SECURITY.md #264
base: main
Are you sure you want to change the base?
Add SECURITY.md #264
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two general observations:
- the term 'support' is not defined here, nor on our website. The filename and first heading here implicitly conveys that 'support' is related to 'security', while the (same) text on the website is not in a security specific context and presumably is about where continued development happens.
- the (general) statement about no backporting of security fixes may be read to conflict with the (specific) statement about support for the latest minor version of a previous major version. I am assuming that "specific beats general" and therefore this is an exception to the 'no backporting' rule. But perhaps it is not. I think it would be helpful to clarify this.
|
||
## Reporting a Vulnerability | ||
|
||
We take security very seriously. If you have discovered a security vulnerability |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We take security very seriously. If you have discovered a security vulnerability | |
If you have discovered a security vulnerability |
## Reporting a Vulnerability | ||
|
||
We take security very seriously. If you have discovered a security vulnerability | ||
in one of our projects and you would like to report it to us, you can send an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in one of our projects and you would like to report it to us, you can send an | |
in one of our projects and you would like to report it to us, please send an |
older (minor) versions. In the event a new major version is released (e.g. from | ||
3.2.18 to 4.0.0), support will also be provided on the latest minor version of | ||
the previous major version (3.2.18) for a period of one year from the release of | ||
the new major version (4.0.0). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the new major version (4.0.0). | |
the new major version (4.0.0), unless the previous major version number was 0 (the 'initial development phase'). |
I also stumbled over the lack of definition of “support.” I’m assuming it to mean security and bug fixes, but we should probably say that? |
NLnet Labs adheres to the straightforward, semantic versioning scheme that is | ||
commonly used in the software industry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we want to do this properly, we should probably set up cargo-semver-checks
at some point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you could have a look at this at some point for other projects such as Routinator and Krill, that would be nice.
No description provided.