Add extra way to report security vulnerability

Review Request #806 — Created July 13, 2021 and submitted

sorvival
pidgin/nest
default
e6e64d98a3f3
pidgin-www
- Add an extra way of reporting a security vulnerability in the project. This
  is done by creating a new issue in our issue tracker and ensuring that the
  visibility of it is set so that only Pidgin Developers can view it.
- Fix a simple mistake in markdown link syntax in the contributing page which
  links back to the Security page.
- Change hardcoded link to list of advisories to a Hugo ref link (if we ever
  change the location of the advisories page this will make Hugo throw an error
  since it won't be able to find the page, otherwise the link would just end up
  being broken without us necessarily knowing about it.

Ran dev-server.sh and verified content looks as intended.

  • 0
  • 0
  • 1
  • 0
  • 1
Description From Last Updated
sorvival
  1. 
      
  2. Yes, I don't know how I didn't notice in the previous PR that I had messed up the markdown link syntax that I'm fixing here as well :P

  3. 
      
rekkanoryo
  1. Ship It!
  2. 
      
grim
  1. 
      
  2. hugo/content/about/security/_index.md (Diff revision 1)
     
     

    So I just tried this with my non admin account and you can only see the groups that you are a part of. Since it's not a pidgin developer, it doesn't see it.

    However, we can use an issue template url like https://issues.imfreedom.org/newIssue?project=PIDGIN&c=visible%20to%20Pidgin%20Developers where the issue will automatically be set correctly. See https://issues.imfreedom.org/issue/PIDGIN-17545 for an example that was created with that link.

    1. I can see the Pidgin Developer group and I can select it in the dropdown and I'm not a member of that group (at least afaik). Maybe if I try to submit it an error will appear? Either way, I prefer your alternative of having the link already setup so that it sets the visibility as needed, it will lower the chances of someone using the issue tracker to post a (possible) vulnerability without restricted visibility.

    2. Fixed in rev2

    3. weird, I couldn't see it as mirg and that account only has one more group than you... Either way the link makes it easier :)

  3. 
      
sorvival
grim
  1. Ship It!
  2. 
      
grim
Review request changed

Status: Closed (submitted)

Loading...