Commit Graph

5 Commits

Author SHA1 Message Date
Michael Catanzaro
61075ef0bd Expand security policy to cover previous stable branch
The goal here is to reconcile the difference between GLib's 6-month
security policy and GNOME's 12-month policy (which may soon be expanded
to 13 months, gnome-build-meta#731). It's strange for GLib to be an
exception when the rest of GNOME supports two stable branches at a time.
I'm not aware of any other GNOME project with a shorter release lifetime
than GNOME itself, and it results in a situation where the previous
stable version of the GNOME runtime never receives any GLib updates,
since we stick with the same GLib version for the entire release and do
not do security backports.

But I also want to avoid creating an expectation that GLib maintainers
will do a bunch of additional backporting work, so most commits should
be out of scope. We can say maintainer discretion will be used to
determine whether a backport to the previous stable branch is warranted.
And normally, it won't be, so the goal should be no previous stable
branch releases. But occasionally we might feel a CVE is important
enough that a release really is warranted.
2023-10-03 09:12:37 +01:00
Philip Withnall
1309719c50 docs: Update SECURITY to stop mentioning a deprecated mailing list
Discourse has replaced the GNOME mailing lists.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2022-12-13 19:16:35 +00:00
Philip Withnall
b8160ce18b docs: Add a note about git-evtag to SECURITY.md 2021-09-07 11:21:12 +00:00
Philip Withnall
1a43d950b4 docs: Update various external links to use HEAD instead of master
Update several links to allow the remote to use its configured default
branch name, rather than specifying `master` as the default branch name.
This will help avoid breakage if any of these projects rename their
default branch in the future.

Fix a few of the links where they were hitting redirects or had moved.

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>

Helps: #2348
2021-06-07 14:03:48 +01:00
Philip Withnall
dec66d325f docs: Add a policy for handling security issues
This also gives details of how to report a security issue, including the
key point that merge requests are (unfortunately) not confidential.

Heavily based on the flatpak security policy which just landed:
https://github.com/flatpak/flatpak/blob/master/SECURITY.md

Signed-off-by: Philip Withnall <pwithnall@endlessos.org>
2021-03-11 17:38:51 +00:00