[tor-bugs] #2671 [Company]: Better communication for authority operators, core developers in emergency situations
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Apr 26 02:10:05 UTC 2011
#2671: Better communication for authority operators, core developers in emergency
situations
---------------------+------------------------------------------------------
Reporter: nickm | Owner: nickm
Type: task | Status: assigned
Priority: normal | Milestone:
Component: Company | Version:
Keywords: | Parent: #2664
Points: | Actualpoints:
---------------------+------------------------------------------------------
Changes (by nickm):
* owner: => nickm
Comment:
So for handling vulnerabilities, let me summarize what I think after
talking with arma today, and hearing about what some other projects do.
- Let's have a broad security team comprising Tor developers that Tor pays
and volunteers whom we trust who seem to be helpful with security.
- Let's have that team, and that team only, have access to a separate svn
repository for discussing and sharing work on undisclosed vulnerabilities.
- There should be a GPG key that only a couple people have that is the
official way for people without access to the svn repo to report new
vulnerabilities.
- We should make sure that when people report stuff, we stay in touch with
them to let them know our progress. Else they tend to get angry and
disillusioned, I hear.
- This SVN repository should send a minimal email to the team only on
commits: either encrypted to a pgp key, or giving only a notification that
there were commits (maybe a filename?)
- If we want to have discussions about stuff, we can do it via the svn
repo or via email. Email should cc the entire security team, using gpg.
We can have a regularly rotated key that the security team shares (if
we're lazy) or a carefully cross-signed set of keys that everybody
remembers to encrypt every message to before sending it to the list (if
we're brave.)
- ALL DISCUSSIONS OF EACH ISSUE SHOULD BE MADE PUBLIC WHEN WE PATCH AND
ANNOUNCE. We should use this as a means to become more transparent in how
we handle vulnerability reports.
Thoughts?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2671#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list