| blob | 3b5f7f2cc21c92c67aa14eeb6955ca06714fca93 |
5 <head>
8 <title></title>
10 /* Shared CSS for AsciiDoc xhtml11 and html5 backends */
12 /* Default font. */
13 body {
14 font-family: Georgia,serif;
15 }
17 /* Title font. */
18 h1, h2, h3, h4, h5, h6,
19 div.title, caption.title,
20 thead, p.table.header,
21 #toctitle,
22 #author, #revnumber, #revdate, #revremark,
23 #footer {
24 font-family: Arial,Helvetica,sans-serif;
25 }
27 body {
29 }
31 a {
32 color: blue;
33 text-decoration: underline;
34 }
35 a:visited {
36 color: fuchsia;
37 }
39 em {
40 font-style: italic;
41 color: navy;
42 }
44 strong {
45 font-weight: bold;
46 color: #083194;
47 }
49 h1, h2, h3, h4, h5, h6 {
50 color: #527bbd;
51 margin-top: 1.2em;
52 margin-bottom: 0.5em;
53 line-height: 1.3;
54 }
56 h1, h2, h3 {
57 border-bottom: 2px solid silver;
58 }
59 h2 {
60 padding-top: 0.5em;
61 }
62 h3 {
63 float: left;
64 }
65 h3 + * {
66 clear: left;
67 }
68 h5 {
69 font-size: 1.0em;
70 }
72 div.sectionbody {
73 margin-left: 0;
74 }
76 hr {
77 border: 1px solid silver;
78 }
80 p {
81 margin-top: 0.5em;
82 margin-bottom: 0.5em;
83 }
85 ul, ol, li > p {
86 margin-top: 0;
87 }
88 ul > li { color: #aaa; }
91 .monospaced, code, pre {
92 font-family: "Courier New", Courier, monospace;
93 font-size: inherit;
94 color: navy;
95 padding: 0;
96 margin: 0;
97 }
98 pre {
99 white-space: pre-wrap;
100 }
102 #author {
103 color: #527bbd;
104 font-weight: bold;
105 font-size: 1.1em;
106 }
107 #email {
108 }
109 #revnumber, #revdate, #revremark {
110 }
112 #footer {
113 font-size: small;
114 border-top: 2px solid silver;
115 padding-top: 0.5em;
116 margin-top: 4.0em;
117 }
118 #footer-text {
119 float: left;
120 padding-bottom: 0.5em;
121 }
122 #footer-badges {
123 float: right;
124 padding-bottom: 0.5em;
125 }
127 #preamble {
128 margin-top: 1.5em;
129 margin-bottom: 1.5em;
130 }
131 div.imageblock, div.exampleblock, div.verseblock,
132 div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
133 div.admonitionblock {
134 margin-top: 1.0em;
135 margin-bottom: 1.5em;
136 }
137 div.admonitionblock {
138 margin-top: 2.0em;
139 margin-bottom: 2.0em;
140 margin-right: 10%;
141 color: #606060;
142 }
144 div.content { /* Block element content. */
145 padding: 0;
146 }
148 /* Block element titles. */
149 div.title, caption.title {
150 color: #527bbd;
151 font-weight: bold;
152 text-align: left;
153 margin-top: 1.0em;
154 margin-bottom: 0.5em;
155 }
156 div.title + * {
157 margin-top: 0;
158 }
160 td div.title:first-child {
161 margin-top: 0.0em;
162 }
163 div.content div.title:first-child {
164 margin-top: 0.0em;
165 }
166 div.content + div.title {
167 margin-top: 0.0em;
168 }
170 div.sidebarblock > div.content {
171 background: #ffffee;
172 border: 1px solid #dddddd;
173 border-left: 4px solid #f0f0f0;
174 padding: 0.5em;
175 }
177 div.listingblock > div.content {
178 border: 1px solid #dddddd;
179 border-left: 5px solid #f0f0f0;
180 background: #f8f8f8;
181 padding: 0.5em;
182 }
184 div.quoteblock, div.verseblock {
185 padding-left: 1.0em;
186 margin-left: 1.0em;
187 margin-right: 10%;
188 border-left: 5px solid #f0f0f0;
189 color: #888;
190 }
192 div.quoteblock > div.attribution {
193 padding-top: 0.5em;
194 text-align: right;
195 }
197 div.verseblock > pre.content {
198 font-family: inherit;
199 font-size: inherit;
200 }
201 div.verseblock > div.attribution {
202 padding-top: 0.75em;
203 text-align: left;
204 }
205 /* DEPRECATED: Pre version 8.2.7 verse style literal block. */
206 div.verseblock + div.attribution {
207 text-align: left;
208 }
210 div.admonitionblock .icon {
211 vertical-align: top;
212 font-size: 1.1em;
213 font-weight: bold;
214 text-decoration: underline;
215 color: #527bbd;
216 padding-right: 0.5em;
217 }
218 div.admonitionblock td.content {
219 padding-left: 0.5em;
220 border-left: 3px solid #dddddd;
221 }
223 div.exampleblock > div.content {
224 border-left: 3px solid #dddddd;
225 padding-left: 0.5em;
226 }
228 div.imageblock div.content { padding-left: 0; }
229 span.image img { border-style: none; vertical-align: text-bottom; }
230 a.image:visited { color: white; }
232 dl {
233 margin-top: 0.8em;
234 margin-bottom: 0.8em;
235 }
236 dt {
237 margin-top: 0.5em;
238 margin-bottom: 0;
239 font-style: normal;
240 color: navy;
241 }
242 dd > *:first-child {
243 margin-top: 0.1em;
244 }
246 ul, ol {
247 list-style-position: outside;
248 }
249 ol.arabic {
250 list-style-type: decimal;
251 }
252 ol.loweralpha {
253 list-style-type: lower-alpha;
254 }
255 ol.upperalpha {
256 list-style-type: upper-alpha;
257 }
258 ol.lowerroman {
259 list-style-type: lower-roman;
260 }
261 ol.upperroman {
262 list-style-type: upper-roman;
263 }
265 div.compact ul, div.compact ol,
266 div.compact p, div.compact p,
267 div.compact div, div.compact div {
268 margin-top: 0.1em;
269 margin-bottom: 0.1em;
270 }
272 tfoot {
273 font-weight: bold;
274 }
275 td > div.verse {
276 white-space: pre;
277 }
279 div.hdlist {
280 margin-top: 0.8em;
281 margin-bottom: 0.8em;
282 }
283 div.hdlist tr {
284 padding-bottom: 15px;
285 }
286 dt.hdlist1.strong, td.hdlist1.strong {
287 font-weight: bold;
288 }
289 td.hdlist1 {
290 vertical-align: top;
291 font-style: normal;
292 padding-right: 0.8em;
293 color: navy;
294 }
295 td.hdlist2 {
296 vertical-align: top;
297 }
298 div.hdlist.compact tr {
299 margin: 0;
300 padding-bottom: 0;
301 }
303 .comment {
304 background: yellow;
305 }
307 .footnote, .footnoteref {
308 font-size: 0.8em;
309 }
311 span.footnote, span.footnoteref {
312 vertical-align: super;
313 }
315 #footnotes {
318 }
320 #footnotes div.footnote {
322 }
324 #footnotes hr {
325 border: none;
326 border-top: 1px solid silver;
327 height: 1px;
328 text-align: left;
329 margin-left: 0;
330 width: 20%;
331 min-width: 100px;
332 }
334 div.colist td {
335 padding-right: 0.5em;
336 padding-bottom: 0.3em;
337 vertical-align: top;
338 }
339 div.colist td img {
340 margin-top: 0.3em;
341 }
343 @media print {
344 #footer-badges { display: none; }
345 }
347 #toc {
348 margin-bottom: 2.5em;
349 }
351 #toctitle {
352 color: #527bbd;
353 font-size: 1.1em;
354 font-weight: bold;
355 margin-top: 1.0em;
356 margin-bottom: 0.1em;
357 }
359 div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
360 margin-top: 0;
361 margin-bottom: 0;
362 }
363 div.toclevel2 {
364 margin-left: 2em;
365 font-size: 0.9em;
366 }
367 div.toclevel3 {
368 margin-left: 4em;
369 font-size: 0.9em;
370 }
371 div.toclevel4 {
372 margin-left: 6em;
373 font-size: 0.9em;
374 }
376 span.aqua { color: aqua; }
377 span.black { color: black; }
378 span.blue { color: blue; }
379 span.fuchsia { color: fuchsia; }
380 span.gray { color: gray; }
381 span.green { color: green; }
382 span.lime { color: lime; }
383 span.maroon { color: maroon; }
384 span.navy { color: navy; }
385 span.olive { color: olive; }
386 span.purple { color: purple; }
387 span.red { color: red; }
388 span.silver { color: silver; }
389 span.teal { color: teal; }
390 span.white { color: white; }
391 span.yellow { color: yellow; }
393 span.aqua-background { background: aqua; }
394 span.black-background { background: black; }
395 span.blue-background { background: blue; }
396 span.fuchsia-background { background: fuchsia; }
397 span.gray-background { background: gray; }
398 span.green-background { background: green; }
399 span.lime-background { background: lime; }
400 span.maroon-background { background: maroon; }
401 span.navy-background { background: navy; }
402 span.olive-background { background: olive; }
403 span.purple-background { background: purple; }
404 span.red-background { background: red; }
405 span.silver-background { background: silver; }
406 span.teal-background { background: teal; }
407 span.white-background { background: white; }
408 span.yellow-background { background: yellow; }
410 span.big { font-size: 2em; }
411 span.small { font-size: 0.6em; }
413 span.underline { text-decoration: underline; }
414 span.overline { text-decoration: overline; }
415 span.line-through { text-decoration: line-through; }
417 div.unbreakable { page-break-inside: avoid; }
420 /*
421 * xhtml11 specific
422 *
423 * */
425 div.tableblock {
426 margin-top: 1.0em;
427 margin-bottom: 1.5em;
428 }
429 div.tableblock > table {
431 }
432 thead, p.table.header {
433 font-weight: bold;
434 color: #527bbd;
435 }
436 p.table {
437 margin-top: 0;
438 }
439 /* Because the table frame attribute is overridden by CSS in most browsers. */
441 border-style: none;
442 }
444 border-left-style: none;
445 border-right-style: none;
446 }
448 border-top-style: none;
449 border-bottom-style: none;
450 }
453 /*
454 * html5 specific
455 *
456 * */
458 table.tableblock {
459 margin-top: 1.0em;
460 margin-bottom: 1.5em;
461 }
462 thead, p.tableblock.header {
463 font-weight: bold;
464 color: #527bbd;
465 }
466 p.tableblock {
467 margin-top: 0;
468 }
469 table.tableblock {
470 border-width: 3px;
471 border-spacing: 0px;
472 border-style: solid;
473 border-color: #527bbd;
474 border-collapse: collapse;
475 }
476 th.tableblock, td.tableblock {
477 border-width: 1px;
478 padding: 4px;
479 border-style: solid;
480 border-color: #527bbd;
481 }
483 table.tableblock.frame-topbot {
484 border-left-style: hidden;
485 border-right-style: hidden;
486 }
487 table.tableblock.frame-sides {
488 border-top-style: hidden;
489 border-bottom-style: hidden;
490 }
491 table.tableblock.frame-none {
492 border-style: hidden;
493 }
495 th.tableblock.halign-left, td.tableblock.halign-left {
496 text-align: left;
497 }
498 th.tableblock.halign-center, td.tableblock.halign-center {
499 text-align: center;
500 }
501 th.tableblock.halign-right, td.tableblock.halign-right {
502 text-align: right;
503 }
505 th.tableblock.valign-top, td.tableblock.valign-top {
506 vertical-align: top;
507 }
508 th.tableblock.valign-middle, td.tableblock.valign-middle {
509 vertical-align: middle;
510 }
511 th.tableblock.valign-bottom, td.tableblock.valign-bottom {
512 vertical-align: bottom;
513 }
516 /*
517 * manpage specific
518 *
519 * */
521 body.manpage h1 {
522 padding-top: 0.5em;
523 padding-bottom: 0.5em;
524 border-top: 2px solid silver;
525 border-bottom: 2px solid silver;
526 }
527 body.manpage h2 {
528 border-style: none;
529 }
530 body.manpage div.sectionbody {
531 margin-left: 3em;
532 }
534 @media print {
535 body.manpage div#toc { display: none; }
536 }
539 </style>
541 /*<![CDATA[*/
542 var asciidoc = { // Namespace.
544 /////////////////////////////////////////////////////////////////////
545 // Table Of Contents generator
546 /////////////////////////////////////////////////////////////////////
548 /* Author: Mihai Bazon, September 2002
549 * http://students.infoiasi.ro/~mishoo
550 *
551 * Table Of Content generator
552 * Version: 0.4
553 *
554 * Feel free to use this script under the terms of the GNU General Public
555 * License, as long as you do not remove or alter this notice.
556 */
558 /* modified by Troy D. Hanson, September 2006. License: GPL */
562 toc: function (toclevels) {
564 function getText(el) {
565 var text = "";
566 for (var i = el.firstChild; i != null; i = i.nextSibling) {
567 if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
568 text += i.data;
569 else if (i.firstChild != null)
570 text += getText(i);
571 }
572 return text;
573 }
575 function TocEntry(el, text, toclevel) {
576 this.element = el;
577 this.text = text;
578 this.toclevel = toclevel;
579 }
581 function tocEntries(el, toclevels) {
582 var result = new Array;
584 // Function that scans the DOM tree for header elements (the DOM2
585 // nodeIterator API would be a better technique but not supported by all
586 // browsers).
587 var iterate = function (el) {
588 for (var i = el.firstChild; i != null; i = i.nextSibling) {
589 if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
590 var mo = re.exec(i.tagName);
593 }
594 iterate(i);
595 }
596 }
597 }
598 iterate(el);
599 return result;
600 }
602 var toc = document.getElementById("toc");
603 if (!toc) {
604 return;
605 }
607 // Delete existing TOC entries in case we're reloading the TOC.
608 var tocEntriesToRemove = [];
609 var i;
610 for (i = 0; i < toc.childNodes.length; i++) {
611 var entry = toc.childNodes[i];
612 if (entry.nodeName.toLowerCase() == 'div'
613 && entry.getAttribute("class")
614 && entry.getAttribute("class").match(/^toclevel/))
615 tocEntriesToRemove.push(entry);
616 }
617 for (i = 0; i < tocEntriesToRemove.length; i++) {
618 toc.removeChild(tocEntriesToRemove[i]);
619 }
621 // Rebuild TOC entries.
622 var entries = tocEntries(document.getElementById("content"), toclevels);
623 for (var i = 0; i < entries.length; ++i) {
624 var entry = entries[i];
625 if (entry.element.id == "")
626 entry.element.id = "_toc_" + i;
627 var a = document.createElement("a");
628 a.href = "#" + entry.element.id;
629 a.appendChild(document.createTextNode(entry.text));
630 var div = document.createElement("div");
631 div.appendChild(a);
632 div.className = "toclevel" + entry.toclevel;
633 toc.appendChild(div);
634 }
635 if (entries.length == 0)
636 toc.parentNode.removeChild(toc);
637 },
640 /////////////////////////////////////////////////////////////////////
641 // Footnotes generator
642 /////////////////////////////////////////////////////////////////////
644 /* Based on footnote generation code from:
646 */
648 footnotes: function () {
649 // Delete existing footnote entries in case we're reloading the footnodes.
650 var i;
651 var noteholder = document.getElementById("footnotes");
652 if (!noteholder) {
653 return;
654 }
655 var entriesToRemove = [];
656 for (i = 0; i < noteholder.childNodes.length; i++) {
657 var entry = noteholder.childNodes[i];
659 entriesToRemove.push(entry);
660 }
661 for (i = 0; i < entriesToRemove.length; i++) {
662 noteholder.removeChild(entriesToRemove[i]);
663 }
665 // Rebuild footnote entries.
666 var cont = document.getElementById("content");
667 var spans = cont.getElementsByTagName("span");
668 var refs = {};
669 var n = 0;
671 if (spans[i].className == "footnote") {
672 n++;
673 var note = spans[i].getAttribute("data-note");
674 if (!note) {
675 // Use [\s\S] in place of . so multi-line matches work.
676 // Because JavaScript has no s (dotall) regex flag.
677 note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
678 spans[i].innerHTML =
681 spans[i].setAttribute("data-note", note);
682 }
683 noteholder.innerHTML +=
687 var id =spans[i].getAttribute("id");
688 if (id != null) refs["#"+id] = n;
689 }
690 }
691 if (n == 0)
692 noteholder.parentNode.removeChild(noteholder);
693 else {
694 // Process footnoterefs.
696 if (spans[i].className == "footnoteref") {
698 href = href.match(/#.*/)[0]; // Because IE return full URL.
699 n = refs[href];
700 spans[i].innerHTML =
701 "[<a href='#_footnote_" + n +
703 }
704 }
705 }
706 },
708 install: function(toclevels) {
709 var timerId;
711 function reinstall() {
712 asciidoc.footnotes();
713 if (toclevels) {
714 asciidoc.toc(toclevels);
715 }
716 }
718 function reinstallAndRemoveTimer() {
719 clearInterval(timerId);
720 reinstall();
721 }
723 timerId = setInterval(reinstall, 500);
724 if (document.addEventListener)
725 document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
726 else
727 window.onload = reinstallAndRemoveTimer;
728 }
730 }
731 asciidoc.install();
732 /*]]>*/
733 </script>
734 </head>
737 </div>
742 <div class="paragraph"><p>To protect Git users from critical vulnerabilities, we do not just release
743 fixed versions like regular maintenance releases. Instead, we coordinate
744 releases with packagers, keeping the fixes under an embargo until the release
745 date. That way, users will have a chance to upgrade on that date, no matter
746 what Operating System or distribution they run.</p></div>
747 </div>
748 </div>
750 <h2 id="_the_code_git_security_code_mailing_list">The <code>git-security</code> mailing list</h2>
752 <div class="paragraph"><p>Responsible disclosures of vulnerabilities, analysis, proposed fixes as
753 well as the orchestration of coordinated embargoed releases all happen on the
754 <code>git-security</code> mailing list at <<a href="mailto:git-security@googlegroups.com">git-security@googlegroups.com</a>>.</p></div>
755 <div class="paragraph"><p>In this context, the term "embargo" refers to the time period that information
756 about a vulnerability is kept under wraps and only shared on a need-to-know
757 basis. This is necessary to protect Git’s users from bad actors who would
758 otherwise be made aware of attack vectors that could be exploited. "Lifting the
761 <h3 id="_audience_of_the_code_git_security_code_mailing_list">Audience of the <code>git-security</code> mailing list</h3>
762 <div class="paragraph"><p>Anybody may contact the <code>git-security</code> mailing list by sending an email
763 to <<a href="mailto:git-security@googlegroups.com">git-security@googlegroups.com</a>>, though the archive is closed to the
764 public and only accessible to subscribed members.</p></div>
765 <div class="paragraph"><p>There are a few dozen subscribed members: core Git developers who are trusted
766 with addressing vulnerabilities, and stakeholders (i.e. owners of products
767 affected by security vulnerabilities in Git).</p></div>
768 <div class="paragraph"><p>Most of the discussions revolve around assessing the severity of the reported
769 issue (including the decision whether the report is security-relevant or can be
770 redirected to the public mailing list), how to remediate the issue, determining
771 the timeline of the disclosure as well as aligning priorities and
772 requirements.</p></div>
773 </div>
776 <div class="paragraph"><p>If you are a stakeholder, it is a good idea to pay close attention to the
777 discussions, as pertinent information may be buried in the middle of a lively
778 conversation that might not look relevant to your interests. For example, the
779 tentative timeline might be agreed upon in the middle of discussing code
780 comment formatting in one of the patches and whether or not to combine fixes
781 for multiple, separate vulnerabilities into the same embargoed release. Most
782 mail threads are not usually structured specifically to communicate
783 agreements, assessments or timelines.</p></div>
784 </div>
785 </div>
786 </div>
791 <li>
792 <p>
794 </p>
795 </li>
796 <li>
797 <p>
798 The members of the git-security list start a discussion to give an initial
799 assessment of the severity of the reported potential vulnerability.
800 We aspire to do so within a few days.
801 </p>
802 </li>
803 <li>
804 <p>
805 After discussion, if consensus is reached that it is not critical enough
806 to warrant any embargo, the reporter is redirected to the public Git mailing
808 </p>
809 </li>
810 <li>
811 <p>
812 If it is deemed critical enough for an embargo, ideas are presented on how to
813 address the vulnerability.
814 </p>
815 </li>
816 <li>
817 <p>
818 Usually around that time, the Git maintainer or their delegate(s) open a draft
820 details).
821 </p>
822 </li>
823 <li>
824 <p>
825 Code review can take place in a variety of different locations,
826 depending on context. These are: patches sent inline on the git-security list,
827 a private fork on GitHub associated with the draft security advisory, or the
828 git/cabal repository.
829 </p>
830 </li>
831 <li>
832 <p>
833 Contributors working on a fix should consider beginning by sending
834 patches to the git-security list (inline with the original thread), since they
835 are accessible to all subscribers, along with the original reporter.
836 </p>
837 </li>
838 <li>
839 <p>
840 Once the review has settled and everyone involved in the review agrees that
841 the patches are nearing the finish line, the Git maintainer, and others
842 determine a release date as well as the release trains that are serviced. The
843 decision regarding which versions need a backported fix is based on input from
844 the reporter, the contributor who worked on the patches, and from
845 stakeholders. Operators of hosting sites who may want to analyze whether the
846 given issue is exploited via any of the repositories they host, and binary
847 packagers who want to make sure their product gets patched adequately against
848 the vulnerability, for example, may want to give their input at this stage.
849 </p>
850 </li>
851 <li>
852 <p>
853 While the Git community does its best to accommodate the specific timeline
854 requests of the various binary packagers, the nature of the issue may preclude
855 a prolonged release schedule. For fixes deemed urgent, it may be in the best
856 interest of the Git users community to shorten the disclosure and release
857 timeline, and packagers may need to adapt accordingly.
858 </p>
859 </li>
860 <li>
861 <p>
862 Subsequently, branches with the fixes are pushed to the git/cabal repository.
863 </p>
864 </li>
865 <li>
866 <p>
867 The tags are created by the Git maintainer and pushed to the same repository.
868 </p>
869 </li>
870 <li>
871 <p>
872 The Git for Windows, Git for macOS, BSD, Debian, etc. maintainers prepare the
873 corresponding release artifacts, based on the tags created that have been
874 prepared by the Git maintainer.
875 </p>
876 </li>
877 <li>
878 <p>
879 The release artifacts prepared by various binary packagers can be
880 made available to stakeholders under embargo via a mail to the
882 </p>
883 </li>
884 <li>
885 <p>
886 Less than a week before the release, a mail with the relevant information is
887 sent to <<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>> (see below), a list used to pre-announce
888 embargoed releases of open source projects to the stakeholders of all major
889 distributions of Linux as well as other OSes.
890 </p>
891 </li>
892 <li>
893 <p>
894 Public communication is then prepared in advance of the release date. This
895 includes blog posts and mails to the Git and Git for Windows mailing lists.
896 </p>
897 </li>
898 <li>
899 <p>
900 On the day of the release, at around 10am Pacific Time, the Git maintainer
902 out an announcement mail.
903 </p>
904 </li>
905 <li>
906 <p>
907 Once the tag is pushed, the Git for Windows maintainer publishes the
908 corresponding tag and creates a GitHub Release with the associated release
909 artifacts (Git for Windows installer, Portable Git, MinGit, etc).
910 </p>
911 </li>
912 <li>
913 <p>
914 Git for Windows release is then announced via a mail to the public Git and
915 Git for Windows mailing lists as well as via a tweet.
916 </p>
917 </li>
918 <li>
919 <p>
920 Ditto for distribution packagers for Linux and other platforms:
921 their releases are announced via their preferred channels.
922 </p>
923 </li>
924 <li>
925 <p>
926 A mail to <<a href="mailto:oss-security@lists.openwall.org">oss-security@lists.openwall.org</a>> (see below for details) is sent
927 as a follow-up to the <<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>> one, describing the
928 vulnerability in detail, often including a proof of concept of an exploit.
929 </p>
930 </li>
931 </ul></div>
932 <div class="paragraph"><p>Note: The Git project makes no guarantees about timelines, but aims to keep
936 <div class="paragraph"><p>The first step is to <a href="https://github.com/git/git/security/advisories/new">open
937 an advisory</a>. Technically, this is not necessary. However, it is the most
938 convenient way to obtain the CVE number and it gives us a private repository
939 associated with it that can be used to collaborate on a fix.</p></div>
940 </div>
943 <div class="paragraph"><p>At most two weeks before release date, we need to send a notification to
944 <<a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a>>, preferably less than 7 days before the release date.
945 This will reach most (all?) Linux distributions. See an example below, and the
946 guidelines for this mailing list at
947 <a href="https://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists">here</a>.</p></div>
948 <div class="paragraph"><p>Once the version has been published, we send a note about that to oss-security.
952 their guidelines.</p></div>
953 <div class="paragraph"><p>The mail to oss-security should also describe the exploit, and give credit to
954 the reporter(s): security researchers still receive too little respect for the
955 invaluable service they provide, and public credit goes a long way to keep them
956 paid by their respective organizations.</p></div>
957 <div class="paragraph"><p>Technically, describing any exploit can be delayed up to 7 days, but we usually
958 refrain from doing that, including it right away.</p></div>
959 <div class="paragraph"><p>As a courtesy we typically attach a Git bundle (as <code>.tar.xz</code> because the list
961 parties can take care of integrating/backporting them. This bundle is typically
962 created using a command like this:</p></div>
965 <pre><code>git bundle create cve-xxx.bundle ^origin/master vA.B.C vD.E.F
966 tar cJvf cve-xxx.bundle.tar.xz cve-xxx.bundle</code></pre>
967 </div></div>
968 </div>
970 <h3 id="_example_mail_to_a_href_mailto_distros_vs_openwall_org_distros_vs_openwall_org_a">Example mail to <a href="mailto:distros@vs.openwall.org">distros@vs.openwall.org</a></h3>
973 <pre><code>To: distros@vs.openwall.org
975 Subject: [vs] Upcoming Git security fix release
977 Team,
980 soon thereafter. I have attached a Git bundle (embedded in a `.tar.xz` to avoid
981 it being dropped) which you can fetch into a clone of
982 https://github.com/git/git via `git fetch --tags /path/to/cve-xxx.bundle`,
986 the Git maintainer, using the same GPG key as e.g. v2.24.0.
988 Please use these tags to prepare `git` packages for your various
989 distributions, using the appropriate tagged versions. The added test cases
990 help verify the correctness.
992 The addressed issues are:
994 <list of CVEs with a short description, typically copy/pasted from Git's
995 release notes, usually demo exploit(s), too>
1000 Thanks,
1002 </div></div>
1003 </div>
1005 <h3 id="_example_mail_to_a_href_mailto_oss_security_lists_openwall_com_oss_security_lists_openwall_com_a">Example mail to <a href="mailto:oss-security@lists.openwall.com">oss-security@lists.openwall.com</a></h3>
1008 <pre><code>To: oss-security@lists.openwall.com
1012 Team,
1016 All supported platforms are affected in one way or another, and all Git
1022 We highly recommend to upgrade.
1024 The addressed issues are:
1030 Thanks,
1032 </div></div>
1033 </div>
1034 </div>
1035 </div>
1036 </div>
1040 Last updated
1042 </div>
1043 </div>
1044 </body>
1045 </html>