* Security
@ 2020-12-20 13:13 reportyigit46
2020-12-20 13:46 ` Security Jérémie Roquet
0 siblings, 1 reply; 14+ messages in thread
From: reportyigit46 @ 2020-12-20 13:13 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 78 bytes --]
Hello,
I want to share security issue. Can you share e-mail of security team ?
[-- Attachment #2: Type: text/html, Size: 103 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-20 13:13 Security reportyigit46
@ 2020-12-20 13:46 ` Jérémie Roquet
2020-12-23 5:53 ` Security reportyigit46
0 siblings, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-20 13:46 UTC (permalink / raw)
To: reportyigit46
Cc: zsh-workers, Oliver Kiddle, Bart Schaefer, Peter Stephenson,
Stephane Chazelas
Hi,
Le dim. 20 déc. 2020 à 14:13, reportyigit46
<reportyigit46@protonmail.com> a écrit :
> I want to share security issue. Can you share e-mail of security team ?
If it's a security issue in zsh, you can get in touch with Oliver,
Bart, and of course Peter. You might want to cc. Stephane as well, as
he's some experience on the matter (eg. Shellshock).
I've put all of them in cc.
Best regards,
--
Jérémie
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-20 13:46 ` Security Jérémie Roquet
@ 2020-12-23 5:53 ` reportyigit46
2020-12-23 17:17 ` Security Peter Stephenson
2020-12-23 17:18 ` Security gi1242+zsh
0 siblings, 2 replies; 14+ messages in thread
From: reportyigit46 @ 2020-12-23 5:53 UTC (permalink / raw)
To: Jérémie Roquet
Cc: zsh-workers, Oliver Kiddle, Bart Schaefer, Peter Stephenson,
Stephane Chazelas
[-- Attachment #1: Type: text/plain, Size: 607 bytes --]
Hello,
I can’t get answer from Oliver. Which one can give me answer?
Thank you,
Açık Paz, Ara 20, 2020 16:46, Jérémie Roquet <jroquet@arkanosis.net> yazdı:
> Hi,
>
> Le dim. 20 déc. 2020 à 14:13, reportyigit46
> <reportyigit46@protonmail.com> a écrit :
>> I want to share security issue. Can you share e-mail of security team ?
>
> If it's a security issue in zsh, you can get in touch with Oliver,
> Bart, and of course Peter. You might want to cc. Stephane as well, as
> he's some experience on the matter (eg. Shellshock).
>
> I've put all of them in cc.
>
> Best regards,
>
> --
> Jérémie
[-- Attachment #2: Type: text/html, Size: 882 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-23 5:53 ` Security reportyigit46
@ 2020-12-23 17:17 ` Peter Stephenson
2020-12-23 17:18 ` Security gi1242+zsh
1 sibling, 0 replies; 14+ messages in thread
From: Peter Stephenson @ 2020-12-23 17:17 UTC (permalink / raw)
To: zsh-workers
On Wed, 2020-12-23 at 05:53 +0000, reportyigit46 wrote:
> Hello,
> I can’t get answer from Oliver. Which one can give me answer?
You might want to try zsh-infra@zsh.org which is the small number
of people who have direct responsibility for the zsh site, so
all of necessity trustworthy --- I don't think there's anything
more specific.
pws
> Thank you,
>
>
> Açık Paz, Ara 20, 2020 16:46, Jérémie Roquet <jroquet@arkanosis.net> yazdı:
> > Hi,
> >
> > Le dim. 20 déc. 2020 à 14:13, reportyigit46
> > <reportyigit46@protonmail.com> a écrit :
> > > I want to share security issue. Can you share e-mail of security team ?
> >
> > If it's a security issue in zsh, you can get in touch with Oliver,
> > Bart, and of course Peter. You might want to cc. Stephane as well, as
> > he's some experience on the matter (eg. Shellshock).
> >
> > I've put all of them in cc.
> >
> > Best regards,
> >
> > --
> > Jérémie
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-23 5:53 ` Security reportyigit46
2020-12-23 17:17 ` Security Peter Stephenson
@ 2020-12-23 17:18 ` gi1242+zsh
2020-12-23 18:50 ` Security reportyigit46
1 sibling, 1 reply; 14+ messages in thread
From: gi1242+zsh @ 2020-12-23 17:18 UTC (permalink / raw)
To: reportyigit46; +Cc: zsh-workers
On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:
> I can’t get answer from Oliver. Which one can give me answer?
Just FYI -- if you email the devs and tell them the security issue, I'm
sure they will handle it and respond. (They are responsive to
inconsequential things like color changes; they will certainly respond
to security issues.)
However, if you email them only saying "I have a security issue", they
will likely ignore your message thinking it's spam. I do get one such
email every day telling me my account has been suspended and I need to
respond "urgently". I usually delete such emails, unless it is coming
from an official 100% real Nigerian prince...
GI
--
Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
dozen."
The programmer husband returns with 12 loaves of bread.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-23 17:18 ` Security gi1242+zsh
@ 2020-12-23 18:50 ` reportyigit46
2020-12-25 16:06 ` Security Daniel Shahaf
0 siblings, 1 reply; 14+ messages in thread
From: reportyigit46 @ 2020-12-23 18:50 UTC (permalink / raw)
To: gi1242+zsh; +Cc: zsh-workers
Hello,
Thank you for contacting me. I was sent issue details. But i can't get answer
Thank you,
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 23 December 2020 20:18, <gi1242+zsh@gmail.com> wrote:
> On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:
>
> > I can’t get answer from Oliver. Which one can give me answer?
>
> Just FYI -- if you email the devs and tell them the security issue, I'm
> sure they will handle it and respond. (They are responsive to
> inconsequential things like color changes; they will certainly respond
> to security issues.)
>
> However, if you email them only saying "I have a security issue", they
> will likely ignore your message thinking it's spam. I do get one such
> email every day telling me my account has been suspended and I need to
> respond "urgently". I usually delete such emails, unless it is coming
> from an official 100% real Nigerian prince...
>
> GI
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
> dozen."
> The programmer husband returns with 12 loaves of bread.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-23 18:50 ` Security reportyigit46
@ 2020-12-25 16:06 ` Daniel Shahaf
2020-12-27 21:48 ` Security Phil Pennock
0 siblings, 1 reply; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-25 16:06 UTC (permalink / raw)
To: reportyigit46, gi1242+zsh; +Cc: zsh-workers
Sorry for the delay. It sounds like you emailed _only_ Oliver, so he
might simply be on holiday. In any case, to avoid a single point of
failure, please email the details to zsh-infra@zsh.org. Thanks!
Note to -workers@: Folks who have dealt with previous security issues
(or are otherwise trusted) and aren't already on -infra@ are welcome to
join. Just send a subscription request the usual way. (And yes,
a separate -security@ list might be a good idea, or at least an alias.)
Cheers,
Daniel
reportyigit46 wrote on Wed, 23 Dec 2020 18:50 +00:00:
> Hello,
> Thank you for contacting me. I was sent issue details. But i can't get answer
>
> Thank you,
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, 23 December 2020 20:18, <gi1242+zsh@gmail.com> wrote:
>
> > On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:
> >
> > > I can’t get answer from Oliver. Which one can give me answer?
> >
> > Just FYI -- if you email the devs and tell them the security issue, I'm
> > sure they will handle it and respond. (They are responsive to
> > inconsequential things like color changes; they will certainly respond
> > to security issues.)
> >
> > However, if you email them only saying "I have a security issue", they
> > will likely ignore your message thinking it's spam. I do get one such
> > email every day telling me my account has been suspended and I need to
> > respond "urgently". I usually delete such emails, unless it is coming
> > from an official 100% real Nigerian prince...
> >
> > GI
> >
> > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
> > dozen."
> > The programmer husband returns with 12 loaves of bread.
>
>
>
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-25 16:06 ` Security Daniel Shahaf
@ 2020-12-27 21:48 ` Phil Pennock
2020-12-27 22:40 ` Security Jérémie Roquet
2020-12-28 10:50 ` Security Daniel Shahaf
0 siblings, 2 replies; 14+ messages in thread
From: Phil Pennock @ 2020-12-27 21:48 UTC (permalink / raw)
To: zsh-workers
On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> Sorry for the delay. It sounds like you emailed _only_ Oliver, so he
> might simply be on holiday. In any case, to avoid a single point of
> failure, please email the details to zsh-infra@zsh.org. Thanks!
>
> Note to -workers@: Folks who have dealt with previous security issues
> (or are otherwise trusted) and aren't already on -infra@ are welcome to
> join. Just send a subscription request the usual way. (And yes,
> a separate -security@ list might be a good idea, or at least an alias.)
zsh-security@ now exists, we're kicking the tires. I set it to
closed-to-new-subscribers, so Daniel might clean up after me and open it
to let people ask in the usual way. (Sorry, I missed this thread before
and only saw it after closing out the stuff I had open for setup).
The -infra list is intended to be boring. Several of the people you
want looking at security stuff are not subscribed and probably don't
want the spam of discussions about mailing-list bounce rates,
certificate renewals, etc.
-Phil
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-27 21:48 ` Security Phil Pennock
@ 2020-12-27 22:40 ` Jérémie Roquet
2020-12-27 23:37 ` Security Phil Pennock
2020-12-28 10:50 ` Security Daniel Shahaf
1 sibling, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-27 22:40 UTC (permalink / raw)
To: Phil Pennock, Daniel Shahaf; +Cc: Zsh Hackers' List
Le dim. 27 déc. 2020 à 22:49, Phil Pennock
<zsh-workers+phil.pennock@spodhuis.org> a écrit :
>
> On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> > a separate -security@ list might be a good idea, or at least an alias.)
>
> zsh-security@ now exists, we're kicking the tires.
Daniel, Phil, would it be possible to advertise for this new list on
the mailing lists page?
http://zsh.sourceforge.net/Arc/mlist.html
… and maybe set up a security.txt as well?
https://securitytxt.org/
That's not yet a widely recognized standard, but I believe someone
unfamiliar with a project yet familiar with security would start by
looking there if there's is a contact address.
Thanks!
--
Jérémie
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-27 22:40 ` Security Jérémie Roquet
@ 2020-12-27 23:37 ` Phil Pennock
2020-12-28 0:11 ` Security Jérémie Roquet
0 siblings, 1 reply; 14+ messages in thread
From: Phil Pennock @ 2020-12-27 23:37 UTC (permalink / raw)
To: Jérémie Roquet; +Cc: Daniel Shahaf, Zsh Hackers' List
On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> Daniel, Phil, would it be possible to advertise for this new list on
> the mailing lists page?
>
> http://zsh.sourceforge.net/Arc/mlist.html
Oops, thanks.
Theoretically done. I don't know how much caching there is inside
SourceForge, but the git repo has been updated and the website content
has been rsync'd.
> … and maybe set up a security.txt as well?
>
> https://securitytxt.org/
>
> That's not yet a widely recognized standard, but I believe someone
> unfamiliar with a project yet familiar with security would start by
> looking there if there's is a contact address.
This one is not my call to make. I like the general idea and use it for
my own site (which ~nobody cares about) but I'm not going to deploy
without other folks mulling it over first.
-Phil
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-27 23:37 ` Security Phil Pennock
@ 2020-12-28 0:11 ` Jérémie Roquet
2020-12-28 10:46 ` Security Daniel Shahaf
0 siblings, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-28 0:11 UTC (permalink / raw)
To: Phil Pennock; +Cc: Daniel Shahaf, Zsh Hackers' List
Le lun. 28 déc. 2020 à 00:37, Phil Pennock
<zsh-workers+phil.pennock@spodhuis.org> a écrit :
>
> On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > Daniel, Phil, would it be possible to advertise for this new list on
> > the mailing lists page?
> >
> > http://zsh.sourceforge.net/Arc/mlist.html
>
> Theoretically done. I don't know how much caching there is inside
> SourceForge, but the git repo has been updated and the website content
> has been rsync'd.
That's visible for me now. Thank you!
> > … and maybe set up a security.txt as well?
> >
> > https://securitytxt.org/
> >
> > That's not yet a widely recognized standard, but I believe someone
> > unfamiliar with a project yet familiar with security would start by
> > looking there if there's is a contact address.
>
> This one is not my call to make. I like the general idea and use it for
> my own site (which ~nobody cares about) but I'm not going to deploy
> without other folks mulling it over first.
That's fair. So, for anyone wondering what this security.txt thing is
about: it's a single file made available at
$DOMAIN/.well-known/security.txt, in which some predefined fields can
/ should be filled in, such as an email address to use to report
security issues. This mostly used to report issues on websites rather
than in software, but I believe it's a place where people into
security will look at anyway if they are trying to find a contact
address (possibly before looking at the website itself). The
specification is intended to become a standard but isn't yet; its
ability to become one is also driven by its adoption, of course (the
usual chicken-and-egg problem).
Thanks again,
--
Jérémie
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-28 0:11 ` Security Jérémie Roquet
@ 2020-12-28 10:46 ` Daniel Shahaf
2020-12-28 11:08 ` Security Jérémie Roquet
0 siblings, 1 reply; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-28 10:46 UTC (permalink / raw)
To: Jérémie Roquet; +Cc: Zsh Hackers' List
Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> Le lun. 28 déc. 2020 à 00:37, Phil Pennock
> <zsh-workers+phil.pennock@spodhuis.org> a écrit :
> >
> > On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > > Daniel, Phil, would it be possible to advertise for this new list on
> > > the mailing lists page?
> > >
> > > http://zsh.sourceforge.net/Arc/mlist.html
> >
> > Theoretically done. I don't know how much caching there is inside
> > SourceForge, but the git repo has been updated and the website content
> > has been rsync'd.
>
> That's visible for me now. Thank you!
>
> > > … and maybe set up a security.txt as well?
> > >
> > > https://securitytxt.org/
> > >
> > > That's not yet a widely recognized standard, but I believe someone
> > > unfamiliar with a project yet familiar with security would start by
> > > looking there if there's is a contact address.
> >
> > This one is not my call to make. I like the general idea and use it for
> > my own site (which ~nobody cares about) but I'm not going to deploy
> > without other folks mulling it over first.
>
> That's fair. So, for anyone wondering what this security.txt thing is
> about: it's a single file made available at
> $DOMAIN/.well-known/security.txt, in which some predefined fields can
> / should be filled in, such as an email address to use to report
> security issues. This mostly used to report issues on websites rather
> than in software, but I believe it's a place where people into
> security will look at anyway if they are trying to find a contact
> address (possibly before looking at the website itself). The
> specification is intended to become a standard
Are you sure about this? The Internet Draft's "Intended status" is
"Informational", as opposed to "Standards track".
> but isn't yet; its ability to become one is also driven by its adoption, of
> course (the usual chicken-and-egg problem).
Cheers,
Daniel
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-27 21:48 ` Security Phil Pennock
2020-12-27 22:40 ` Security Jérémie Roquet
@ 2020-12-28 10:50 ` Daniel Shahaf
1 sibling, 0 replies; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-28 10:50 UTC (permalink / raw)
To: zsh-workers
Phil Pennock wrote on Sun, Dec 27, 2020 at 16:48:54 -0500:
> On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> > Sorry for the delay. It sounds like you emailed _only_ Oliver, so he
> > might simply be on holiday. In any case, to avoid a single point of
> > failure, please email the details to zsh-infra@zsh.org. Thanks!
> >
> > Note to -workers@: Folks who have dealt with previous security issues
> > (or are otherwise trusted) and aren't already on -infra@ are welcome to
> > join. Just send a subscription request the usual way. (And yes,
> > a separate -security@ list might be a good idea, or at least an alias.)
>
> zsh-security@ now exists, we're kicking the tires. I set it to
> closed-to-new-subscribers, so Daniel might clean up after me and open it
> to let people ask in the usual way.
I'm perfectly happy to let it stay as "Ask someone to add you manually", for
the time being at least, due to shortage of brainwidth on my end.
> (Sorry, I missed this thread before
> and only saw it after closing out the stuff I had open for setup).
>
> The -infra list is intended to be boring. Several of the people you
> want looking at security stuff are not subscribed and probably don't
> want the spam of discussions about mailing-list bounce rates,
> certificate renewals, etc.
>
> -Phil
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: Security
2020-12-28 10:46 ` Security Daniel Shahaf
@ 2020-12-28 11:08 ` Jérémie Roquet
0 siblings, 0 replies; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-28 11:08 UTC (permalink / raw)
To: Daniel Shahaf; +Cc: Zsh Hackers' List
Le lun. 28 déc. 2020 à 11:46, Daniel Shahaf <d.s@daniel.shahaf.name> a écrit :
>
> Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> > That's fair. So, for anyone wondering what this security.txt thing is
> > […]
> > The specification is intended to become a standard
>
> Are you sure about this? The Internet Draft's "Intended status" is
> "Informational", as opposed to "Standards track".
Well, I'm not sure, then. The website says “proposed standard”… I
guess it depends on who you ask.
> > but isn't yet; its ability to become one is also driven by its adoption, of
> > course (the usual chicken-and-egg problem).
That's the only thing I'm sure of: it seems rather well received, but
it has yet to see a wider adoption before one can say it's a standard,
hence my note.
Best regards,
--
Jérémie
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2020-12-28 11:09 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-20 13:13 Security reportyigit46
2020-12-20 13:46 ` Security Jérémie Roquet
2020-12-23 5:53 ` Security reportyigit46
2020-12-23 17:17 ` Security Peter Stephenson
2020-12-23 17:18 ` Security gi1242+zsh
2020-12-23 18:50 ` Security reportyigit46
2020-12-25 16:06 ` Security Daniel Shahaf
2020-12-27 21:48 ` Security Phil Pennock
2020-12-27 22:40 ` Security Jérémie Roquet
2020-12-27 23:37 ` Security Phil Pennock
2020-12-28 0:11 ` Security Jérémie Roquet
2020-12-28 10:46 ` Security Daniel Shahaf
2020-12-28 11:08 ` Security Jérémie Roquet
2020-12-28 10:50 ` Security Daniel Shahaf
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).