docs: new systemd-security mailing list

In the past, we asked people to open a security bug on one of the "big"
distros. This worked OK as far as getting bugs reported and notifying some
upstream developers went. But we always had trouble getting information to
all the appropriate parties, because each time a bug was reported, a big
thread was created, with a growing CC list. People who were not CCed early
enough were missing some information, etc.

To clean this up, we decided to create a private mailing list. The natural
place would be freedesktop.org, but unfortunately the request to create a
mailing list wasn't handled
(https://gitlab.freedesktop.org/freedesktop/freedesktop/issues/134). And even
if it was, at this point, if there was ever another administrative issue, it
seems likely it could take months to resolve. So instead, we asked for a list
to be created on the redhat mailservers.

Please consider the previous security issue reporting mechanisms rescinded, and
send any senstive bugs to systemd-security@redhat.com.

diff --git a/NEWS b/NEWS
index 5a2f6df9e5e436b17e94b0a005ea8f176ec81f46..b444e2418a6b32027eb9d23e765417ff9bde1f10 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -432,6 +432,10 @@ CHANGES WITH 243 in spe:
         * IOWeight= has learnt to properly set the IO weight when using the
           BFQ scheduler officially found in kernels 5.0+.
 
+        * A new mailing list has been created for reporting of security issues:
+          systemd-security@redhat.com. For mode details, see
+          https://systemd.io/CONTRIBUTING#security-vulnerability-reports.
+
         Contributions from: Aaron Barany, Adrian Bunk, Alan Jenkins, Albrecht
         Lohofener, Andrej Valek, Anita Zhang, Arian van Putten, Balint Reczey,
         Bastien Nocera, Ben Boeckel, Benjamin Robin, camoz, Chen Qi, Chris

diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index f40d9a010a6412dda4f5e68ef2e5696f8c6c7162..01074742179bf3fff29dbcfd3ffcd52d372a55d7 100644 (file)
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -23,7 +23,7 @@ For older versions that are still supported by your distribution please use resp
 
 ## Security vulnerability reports
 
-If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue in one of the "big" distributions using systemd: [Fedora](https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=systemd) (be sure to check "Security Sensitive Bug" under "Show Advanced Fields"), [Ubuntu](https://launchpad.net/ubuntu/+source/systemd/+filebug) (be sure to change "This bug contains information that is" from "Public" to "Private Security"), or [Debian](mailto:security@debian.org). Various systemd developers are active distribution maintainers and will propagate the information about the bug to other parties.
+If you discover a security vulnerability, we'd appreciate a non-public disclosure. The issue tracker and mailing list listed above are fully public. If you need to reach systemd developers in a non-public way, report the issue to the [systemd-security@redhat.com](mailto:systemd-security@redhat.com) mailing list. The disclosure will be coordinated with distributions.
 
 ## Posting Pull Requests