| Message ID | 20250829-update-security-lists-v1-1-42d02ed2eb24@bootlin.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | dev-manual/security-subjects.rst: update mailing lists | expand |
Hi Antonin, On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote: > Update mailing lists following changes by Michael Halstead > (https://lists.yoctoproject.org/g/yocto-security/message/1478). > > Also fix formatting/spacing. > > Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> > --- > documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++--------- > 1 file changed, 14 insertions(+), 9 deletions(-) > > diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst > index 1b02b6a9e9..6785b5a16a 100644 > --- a/documentation/dev-manual/security-subjects.rst > +++ b/documentation/dev-manual/security-subjects.rst > @@ -52,19 +52,24 @@ for them for significant issues. > Security-related discussions at the Yocto Project > ------------------------------------------------- > > -We have set up two security-related mailing lists: > +We have set up two security-related emails/mailing lists: > > - - Public List: yocto [dash] security [at] yoctoproject[dot] org > + - Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org > > - This is a public mailing list for anyone to subscribe to. This list is an > - open list to discuss public security issues/patches and security-related > - initiatives. For more information, including subscription information, > - please see the :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`. > + This is a public mailing list for anyone to subscribe to. This list is an > + open list to discuss public security issues/patches and security-related > + initiatives. For more information, including subscription information, > + please see the :yocto_lists:`yocto-security mailing list info page > + </g/yocto-security>`. > > - - Private List: security [at] yoctoproject [dot] org > + This list requires moderator approval for new topics to be posted, to avoid > + private security reports to be posted by mistake. > > - This is a private mailing list for reporting non-published potential > - vulnerabilities. The list is monitored by the Yocto Project Security team. > + - Yocto Project Security Team: security [at] yoctoproject [dot] org > + > + This is an email for reporting non-published potential vulnerabilities. > + Emails sent to this address are forwarded to the Yocto Project Security > + Team members. > Matches what Michael said on the ML, so I guess Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> Please also backport wherever appropriate (maybe we should think about having this under the same mechanism we use for migration manuals so it's never outdated even in old release manuals?). Thanks! Quentin
On Mon Sep 1, 2025 at 1:35 PM CEST, Quentin Schulz via lists.yoctoproject.org wrote: > Hi Antonin, > > On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote: >> Update mailing lists following changes by Michael Halstead >> (https://lists.yoctoproject.org/g/yocto-security/message/1478). >> >> Also fix formatting/spacing. >> >> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> >> --- >> documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++--------- >> 1 file changed, 14 insertions(+), 9 deletions(-) >> >> diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst >> index 1b02b6a9e9..6785b5a16a 100644 >> --- a/documentation/dev-manual/security-subjects.rst >> +++ b/documentation/dev-manual/security-subjects.rst >> @@ -52,19 +52,24 @@ for them for significant issues. >> Security-related discussions at the Yocto Project >> ------------------------------------------------- >> >> -We have set up two security-related mailing lists: >> +We have set up two security-related emails/mailing lists: >> >> - - Public List: yocto [dash] security [at] yoctoproject[dot] org >> + - Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org >> >> - This is a public mailing list for anyone to subscribe to. This list is an >> - open list to discuss public security issues/patches and security-related >> - initiatives. For more information, including subscription information, >> - please see the :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`. >> + This is a public mailing list for anyone to subscribe to. This list is an >> + open list to discuss public security issues/patches and security-related >> + initiatives. For more information, including subscription information, >> + please see the :yocto_lists:`yocto-security mailing list info page >> + </g/yocto-security>`. >> >> - - Private List: security [at] yoctoproject [dot] org >> + This list requires moderator approval for new topics to be posted, to avoid >> + private security reports to be posted by mistake. >> >> - This is a private mailing list for reporting non-published potential >> - vulnerabilities. The list is monitored by the Yocto Project Security team. >> + - Yocto Project Security Team: security [at] yoctoproject [dot] org >> + >> + This is an email for reporting non-published potential vulnerabilities. >> + Emails sent to this address are forwarded to the Yocto Project Security >> + Team members. >> > > Matches what Michael said on the ML, so I guess > > Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> > > Please also backport wherever appropriate (maybe we should think about > having this under the same mechanism we use for migration manuals so > it's never outdated even in old release manuals?). I think the idea is good. One tricky point is that this is part of the development manual which has been split in multiple documents not so long ago, so it wouldn't apply to old releases → maybe we should move this out of the development manual and make it a distinct (and more visible) section? What do you think? This is about security, not really a development task. Antonin
Hi Antonin, On 9/2/25 9:06 AM, Antonin Godard wrote: > On Mon Sep 1, 2025 at 1:35 PM CEST, Quentin Schulz via lists.yoctoproject.org wrote: >> Hi Antonin, >> >> On 8/29/25 11:08 AM, Antonin Godard via lists.yoctoproject.org wrote: >>> Update mailing lists following changes by Michael Halstead >>> (https://lists.yoctoproject.org/g/yocto-security/message/1478). >>> >>> Also fix formatting/spacing. >>> >>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> >>> --- >>> documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++--------- >>> 1 file changed, 14 insertions(+), 9 deletions(-) >>> >>> diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst >>> index 1b02b6a9e9..6785b5a16a 100644 >>> --- a/documentation/dev-manual/security-subjects.rst >>> +++ b/documentation/dev-manual/security-subjects.rst >>> @@ -52,19 +52,24 @@ for them for significant issues. >>> Security-related discussions at the Yocto Project >>> ------------------------------------------------- >>> >>> -We have set up two security-related mailing lists: >>> +We have set up two security-related emails/mailing lists: >>> >>> - - Public List: yocto [dash] security [at] yoctoproject[dot] org >>> + - Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org >>> >>> - This is a public mailing list for anyone to subscribe to. This list is an >>> - open list to discuss public security issues/patches and security-related >>> - initiatives. For more information, including subscription information, >>> - please see the :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`. >>> + This is a public mailing list for anyone to subscribe to. This list is an >>> + open list to discuss public security issues/patches and security-related >>> + initiatives. For more information, including subscription information, >>> + please see the :yocto_lists:`yocto-security mailing list info page >>> + </g/yocto-security>`. >>> >>> - - Private List: security [at] yoctoproject [dot] org >>> + This list requires moderator approval for new topics to be posted, to avoid >>> + private security reports to be posted by mistake. >>> >>> - This is a private mailing list for reporting non-published potential >>> - vulnerabilities. The list is monitored by the Yocto Project Security team. >>> + - Yocto Project Security Team: security [at] yoctoproject [dot] org >>> + >>> + This is an email for reporting non-published potential vulnerabilities. >>> + Emails sent to this address are forwarded to the Yocto Project Security >>> + Team members. >>> >> >> Matches what Michael said on the ML, so I guess >> >> Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de> >> >> Please also backport wherever appropriate (maybe we should think about >> having this under the same mechanism we use for migration manuals so >> it's never outdated even in old release manuals?). > > I think the idea is good. > > One tricky point is that this is part of the development manual which has been > split in multiple documents not so long ago, so it wouldn't apply to old > releases → maybe we should move this out of the development manual and make it a We can still try to figure out a way to have this similarly implemented for older but still supported releases? > distinct (and more visible) section? What do you think? This is about security, > not really a development task. > Yes to making it more visible since I assume we want people to not have to look too hard on how to report security issues otherwise we may either not receive reports or having them reported on the wrong channels. I guess we can have it amongst the Introduction and Overview section in the navigation panel on the left? I think we should probably add a new section where we say that these instructions may be outdated and you should really be double-checking against the latest version of this security document (and maybe link to e.g. docs.yoctoproject.org/dev/security-whatever)? If we ever change the process, we wouldn't want people to misreport because they read the old version of the instructions? Cheers, Quentin
On Tue Sep 2, 2025 at 10:53 AM CEST, Quentin Schulz via lists.yoctoproject.org wrote: [...] >>> Please also backport wherever appropriate (maybe we should think about >>> having this under the same mechanism we use for migration manuals so >>> it's never outdated even in old release manuals?). >> >> I think the idea is good. >> >> One tricky point is that this is part of the development manual which has been >> split in multiple documents not so long ago, so it wouldn't apply to old >> releases → maybe we should move this out of the development manual and make it a > > We can still try to figure out a way to have this similarly implemented > for older but still supported releases? Sure, if you mean walnascar/scarthgap/kirkstone I was planning on backporting this manually to these branches anyway. >> distinct (and more visible) section? What do you think? This is about security, >> not really a development task. >> > > Yes to making it more visible since I assume we want people to not have > to look too hard on how to report security issues otherwise we may > either not receive reports or having them reported on the wrong channels. > > I guess we can have it amongst the Introduction and Overview section in > the navigation panel on the left? > > I think we should probably add a new section where we say that these > instructions may be outdated and you should really be double-checking > against the latest version of this security document (and maybe link to > e.g. docs.yoctoproject.org/dev/security-whatever)? If we ever change the > process, we wouldn't want people to misreport because they read the old > version of the instructions? Yes, those are all valid points. I think it should show up on the navigation panel. I'll try to come up with something. :) Thanks, Antonin
On Fri, 29 Aug 2025 11:08:25 +0200, Antonin Godard wrote: > Update mailing lists following changes by Michael Halstead > (https://lists.yoctoproject.org/g/yocto-security/message/1478). > > Also fix formatting/spacing. > > Applied, thanks! [1/1] dev-manual/security-subjects.rst: update mailing lists commit: 8066aa92a1acae6c99fbee92d24ee1feea65d974 Best regards,
diff --git a/documentation/dev-manual/security-subjects.rst b/documentation/dev-manual/security-subjects.rst index 1b02b6a9e9..6785b5a16a 100644 --- a/documentation/dev-manual/security-subjects.rst +++ b/documentation/dev-manual/security-subjects.rst @@ -52,19 +52,24 @@ for them for significant issues. Security-related discussions at the Yocto Project ------------------------------------------------- -We have set up two security-related mailing lists: +We have set up two security-related emails/mailing lists: - - Public List: yocto [dash] security [at] yoctoproject[dot] org + - Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org - This is a public mailing list for anyone to subscribe to. This list is an - open list to discuss public security issues/patches and security-related - initiatives. For more information, including subscription information, - please see the :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`. + This is a public mailing list for anyone to subscribe to. This list is an + open list to discuss public security issues/patches and security-related + initiatives. For more information, including subscription information, + please see the :yocto_lists:`yocto-security mailing list info page + </g/yocto-security>`. - - Private List: security [at] yoctoproject [dot] org + This list requires moderator approval for new topics to be posted, to avoid + private security reports to be posted by mistake. - This is a private mailing list for reporting non-published potential - vulnerabilities. The list is monitored by the Yocto Project Security team. + - Yocto Project Security Team: security [at] yoctoproject [dot] org + + This is an email for reporting non-published potential vulnerabilities. + Emails sent to this address are forwarded to the Yocto Project Security + Team members. What you should do if you find a security vulnerability
Update mailing lists following changes by Michael Halstead (https://lists.yoctoproject.org/g/yocto-security/message/1478). Also fix formatting/spacing. Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- documentation/dev-manual/security-subjects.rst | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) --- base-commit: dbc6137cd13f982a7fd4d1b2df79dccb177db0fc change-id: 20250829-update-security-lists-d524520db2c9 Best regards, -- Antonin Godard <antonin.godard@bootlin.com>