Closed rossabaker closed 1 year ago
Feel free to propose more rows or columns or dispute my characterizations. These are the ones I can remember being discussed.
I think we should be on Matrix, but I'm listening.
/cc @typelevel/security
The Scala and Scalameta Discords have setup a Matrix bridge. I don't know much about it, but maybe it could help unify those options.
Edit: https://t2bot.io/discord/ (but there maybe other options? not sure if that's what's being used). But no encryption.
The bridge hasn't been implemented on the Typelevel Discord because it introduces moderation problems. Apparently everyone comes in as Bot, which removes the ability to block from individuals and puts a burden on bridge administrators.
Regardless, without E2EE, Discord is a non-starter for security discussions.
Precedent:
As long as we offer e-mail as Plan B, tossing PGP keys up there is prudent. (Without it, it's about as risky as Discord or IRC.) I'm not sure how well it works with the Google group that alias goes to.
Several recent disclosures start as discord because it's what people are comfortable with as a platform and they know is our space. Several times they were not even sure if it was a security issue. Considering how integral to our community it is, it seems reasonable to leverage to me. I think we should have a primary means and a more secure approach if we feel it's appropriate.
If someone comes on Discord and says they have a security concern, that's no problem: they can be gently redirected to a secure channel for CVD. And sometimes security ramifications aren't recognized until the middle of a conversation: shit happens. But discussing unmitigated vulnerabilities on insecure channels puts us all at heightened risk.
If we decide to not use the most relevant platform because discord itself might exploit something than how do we justify GitHub? Than I at least ask for a common one for people to not need tech knowledge to leverage. So something like signal. My best reports are from folks asking questions and then I realize and shift to DMs.
I’m good with email + Discord
how do we justify GitHub?
The liabilities of GitHub are baked in, unless we undo release automation and get strict about signed commits. (This would be good for security, and terrible for multiple other reasons.) Every other system in the process is an additive liability. If GitHub supported direct disclosure intake, that would be the way. Alas.
The OSSF recommends e-mail with hop-to-hop encryption for intake. It does not recommend requiring E2EE, though OWASP calls it "ideal". We'd be in good company with the inbox we already have, and optional PGP key for those who celebrate. The question there would be a group key (we'd need to get the Security Team into 1Password) or individual keys (only ASF does this).
It seems everyone agrees Keybase has run its course.
We've used it successfully for years, but it's basically abandonware, and we've spent more time faffing about with it on the pending GHSAs than we've spent solving the GHSAs.
Desiderata