search

r-multiverse / help

Discussions, issues, and feedback for R-multiverse
https://r-multiverse.org
MIT License
2 stars 2 forks source link

GitHub security for repos #56

Closed wlandau closed 1 week ago

wlandau commented 1 month ago
wlandau commented 3 weeks ago

I just turned on the "Github recommended" configuration for all our public repos (https://github.com/organizations/r-multiverse/settings/security_products).

wlandau commented 3 weeks ago

Instead of a repo-level security.txt file, I propose we add a security policy to r-multiverse.org (similar to our approach for https://github.com/r-multiverse/r-multiverse.github.io/pull/16). This could cover who to contact, as well as R-multiverse-specific issues like https://github.com/r-multiverse/help/discussions/63. Sound okay?

shikokuchuo commented 2 weeks ago

Yes, I'm fine with having it at the root of the website. Do you have a template/precedent in mind for this?

wlandau commented 2 weeks ago

When I go to https://github.com/wlandau/crew/community and click "set up security policy", this is the template I see:

# Security Policy

## Supported Versions

Use this section to tell people about which versions of your project are
currently being supported with security updates.

| Version | Supported          |
| ------- | ------------------ |
| 5.1.x   | :white_check_mark: |
| 5.0.x   | :x:                |
| 4.0.x   | :white_check_mark: |
| < 4.0   | :x:                |

## Reporting a Vulnerability

Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a
reported vulnerability, what to expect if the vulnerability is accepted or
declined, etc.

And from https://docs.github.com/en/code-security/getting-started/adding-a-security-policy-to-your-repository, I gather the purpose is to tell users how to report vulnerabilities. For R-multiverse, I might first start by explaining additional kinds of problems to look for:

  1. DDoS: too many open PRs at https://github.com/r-multiverse/contributions.
  2. DDoS: too many bogus URLs in https://github.com/r-multiverse/contributions/tree/main/packages
  3. URLs in https://github.com/r-multiverse/contributions/tree/main/packages which violate the code of conduct, whether through offensive names, plagiarism, etc.

And for reporting vulnerabilities, I think I might prefer private vulnerability reporting rather than giving our our personal email addresses. (It's at least worth investigating.)

Sound okay?

shikokuchuo commented 2 weeks ago

Sounds fine. I don't think there is a single standard for this. I didn't know about private vulnerability reporting, looks like the way to go!