[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2671 [Company]: Better communication for authority operators, core developers in emergency situations
#2671: Better communication for authority operators, core developers in emergency
situations
---------------------+------------------------------------------------------
Reporter: nickm | Owner: nickm
Type: task | Status: assigned
Priority: normal | Milestone:
Component: Company | Version:
Keywords: | Parent: #2664
Points: | Actualpoints:
---------------------+------------------------------------------------------
Comment(by nickm):
Revised plan:
Here's the part that's basically done:
- Let's have a broad security team comprising Tor developers that Tor pays
and volunteers whom we trust who seem to be helpful with security.
- To be on the secteam, Nick and Roger must agree that you should be on
the secteam. You need to agree to practice basic data hygiene, follow
responsible-disclosure practices with all Tor-related vulnerabilities you
find, and help with resolving security issues. For now we are only taking
volunteers whom one of us has met, and who have worked on fixing security
issues in Tor in the past. Once we get up to speed we might expand this.
- Let's have that team, and that team only, have access to a separate Git
repository for discussing and sharing work on undisclosed vulnerabilities.
- ALL DISCUSSIONS OF EACH ISSUE SHOULD BE MADE PUBLIC WHEN WE PATCH AND
ANNOUNCE. We should use this as a means to become more transparent in how
we handle vulnerability reports.
- There should be a GPG key that only a couple people have that is the
official way for people without access to the git repo to report new
vulnerabilities, and an official email address for it.
- We should make sure that when people report stuff, we stay in touch with
them to let them know our progress. Else they tend to get angry and
disillusioned, I hear.
We have not decided about :
- This git repository should probably notify team members of new commits
somehow. It should either use pgp-enrypted mail, or give a notification
only saying "There was a commit by personname". (Branch names and file
names are not a great thing to leak.)
- If there should be some kind of encrypted mailing list for the whole
team. I am leaning to no.
- How best to actually do stuff in the repo
- Where to publish resolved issues, on what schedule.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2671#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs