- Issue created by @drumm
- Merge request !302Support confidential issues in git.drupalcode.org for security team triage Initial commit → (Merged) created by drumm
- 🇺🇸United States drumm NY, US
The initial work in the MR now handles new issues being filed:
And the moved issue currently looks like this:
- 🇺🇸United States benjifisher Boston area
> Migrate existing security issues. Do we need closed issues, or lose those forever?
I think we need the closed issues. As a general rule, I hate to throw away information.
If an issue was considered a valid security issue, then fixed, then some of the important information is in the public SA. Even then, a lot of details about the possible exploit are only in the issue (now closed).
If an issue was considered not to be a valid security issue, then at best we have a comment in a public "hardening" issue. The discussion and the details are only in the issue (now closed). We often look for old issues similar to newly created ones: "in previous issues very similar to this one, we decided to fix them in public because ...".
- 🇺🇸United States damienmckenna NH, USA
Did anyone open a feature request in gitlab to have a concept of a "security" role for users to be able to access all security issues?
- 🇺🇸United States drumm NY, US
Did anyone open a feature request in gitlab to have a concept of a "security" role for users to be able to access all security issues?
No, that didn’t happen. GitLab has only recently added custom admin roles, https://docs.gitlab.com/user/custom_roles/#custom-admin-roles, which might get us partway there.
Security issues will need private forks regardless, so private MRs can be used for review and testing. Putting those private forks under https://git.drupalcode.org/security takes care of giving the security team access, and the group labels, milestones, etc keep everything organized the same way. Even if there was a good way to give security team members access to all confidential issues, that is only partway there.
- 🇺🇸United States drumm NY, US
Documentation for this is started at https://www.drupal.org/drupal-security-team/security-team-procedures/sec... →
Remaining work:
- Set up the GitLab triage bot in a git.drupalcode.org repository with GitLab CI running the schedule, either using a new branch of https://www.drupal.org/project/securitydrupalorg → or a fresh project
- More documentation, including how to publish a security issue, and triage duty
- Test with security team members
- Complete 📌 Move security advisory drafting to www.drupal.org Active to allow project maintainers access to draft security issues
- Make the https://git.drupalcode.org/security/issues/-/issues project public, so anyone can report issues
- Migrate all security.drupal.org issues
- 🇺🇸United States drumm NY, US
I believe the main work left is to migrate the issues. As far as I'm aware, the new setup is feature-complete enough.
- 🇺🇸United States drumm NY, US
And we can open this process to everyone for more testing, we don’t need to complete the migration for the new process to be the default.
- 🇺🇸United States damienmckenna NH, USA
Are we worried about the sdo issue IDs being retained on gitlab?