llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
29.32k stars 12.11k forks source link

The LLVM security group should archive data on chromium.org #96039

Open kbeyls opened 5 months ago

kbeyls commented 5 months ago

For the past 4 years, the LLVM project has been using https://bugs.chromium.org/p/llvm/issues/list?q=&can=1 to enable people to report security issues to the LLVM security group. We have recently moved away from using chromium.org to using github for reporting security issues.

We expect that the chromium.org issue tracker may not retain the past issues raised forever, so we should find a way to archive the data somehow. Our past transparency reports refer to the chromium issues, so if the issues went away, we'd loose historical data.

This ticket covers finding a fit-for-purpose way to archive the historical tickets.

@llvm/llvm-security-group

mmdriley commented 5 months ago

I wish I could say there was a robust and easy plan for archiving issues from https://bugs.chromium.org/ in the same low-overhead and high-fidelity way that, say, projects from Google Code were archived. Unfortunately, after discussions with the Chromium infrastructure owners, I don't think that's the case.

We have been presented an option to migrate issues from the https://bugs.chromium.org tracker ("Monorail") to Chromium's new bug tracker (https://issues.chromium.org, aka "Issue Tracker") but... I suggest we don't go that route. There have been some disruptions in transition (e.g. comments not copying over) and the end state is information hosted on another platform that serves interests+timelines different from LLVM's.

Dumb as it sounds, I suggest we print the ~60 Monorail issues to PDF and file an issue on the new tracker for each one with the old history attached. Searchability and discoverability won't be the best, though it's always possible someone will come along and add post-hoc updates with the full bug contents.

llvmbot commented 5 months ago

@llvm/issue-subscribers-infrastructure

Author: Kristof Beyls (kbeyls)

For the past 4 years, the LLVM project has been using https://bugs.chromium.org/p/llvm/issues/list?q=&can=1 to enable people to report security issues to the LLVM security group. We have recently moved away from using chromium.org to using [github for reporting security issues](https://llvm.org/docs/Security.html#how-to-report-a-security-issue). We expect that the chromium.org issue tracker may not retain the past issues raised forever, so we should find a way to archive the data somehow. Our past transparency reports refer to the chromium issues, so if the issues went away, we'd loose historical data. This ticket covers finding a fit-for-purpose way to archive the historical tickets. @llvm/llvm-security-group