zsh-workers
 help / color / mirror / code / Atom feed
* Security
@ 2020-12-20 13:13 reportyigit46
  2020-12-20 13:46 ` Security Jérémie Roquet
  0 siblings, 1 reply; 14+ messages in thread
From: reportyigit46 @ 2020-12-20 13:13 UTC (permalink / raw)
  To: zsh-workers

[-- Attachment #1: Type: text/plain, Size: 78 bytes --]

Hello,
I want to share security issue. Can you share e-mail of security team ?

[-- Attachment #2: Type: text/html, Size: 103 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-20 13:13 Security reportyigit46
@ 2020-12-20 13:46 ` Jérémie Roquet
  2020-12-23  5:53   ` Security reportyigit46
  0 siblings, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-20 13:46 UTC (permalink / raw)
  To: reportyigit46
  Cc: zsh-workers, Oliver Kiddle, Bart Schaefer, Peter Stephenson,
	Stephane Chazelas

Hi,

Le dim. 20 déc. 2020 à 14:13, reportyigit46
<reportyigit46@protonmail.com> a écrit :
> I want to share security issue. Can you share e-mail of security team ?

If it's a security issue in zsh, you can get in touch with Oliver,
Bart, and of course Peter. You might want to cc. Stephane as well, as
he's some experience on the matter (eg. Shellshock).

I've put all of them in cc.

Best regards,

-- 
Jérémie


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-20 13:46 ` Security Jérémie Roquet
@ 2020-12-23  5:53   ` reportyigit46
  2020-12-23 17:17     ` Security Peter Stephenson
  2020-12-23 17:18     ` Security gi1242+zsh
  0 siblings, 2 replies; 14+ messages in thread
From: reportyigit46 @ 2020-12-23  5:53 UTC (permalink / raw)
  To: Jérémie Roquet
  Cc: zsh-workers, Oliver Kiddle, Bart Schaefer, Peter Stephenson,
	Stephane Chazelas

[-- Attachment #1: Type: text/plain, Size: 607 bytes --]

Hello,
I can’t get answer from Oliver. Which one can give me answer?

Thank you,

Açık Paz, Ara 20, 2020 16:46, Jérémie Roquet <jroquet@arkanosis.net> yazdı:

> Hi,
>
> Le dim. 20 déc. 2020 à 14:13, reportyigit46
> <reportyigit46@protonmail.com> a écrit :
>> I want to share security issue. Can you share e-mail of security team ?
>
> If it's a security issue in zsh, you can get in touch with Oliver,
> Bart, and of course Peter. You might want to cc. Stephane as well, as
> he's some experience on the matter (eg. Shellshock).
>
> I've put all of them in cc.
>
> Best regards,
>
> --
> Jérémie

[-- Attachment #2: Type: text/html, Size: 882 bytes --]

^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-23  5:53   ` Security reportyigit46
@ 2020-12-23 17:17     ` Peter Stephenson
  2020-12-23 17:18     ` Security gi1242+zsh
  1 sibling, 0 replies; 14+ messages in thread
From: Peter Stephenson @ 2020-12-23 17:17 UTC (permalink / raw)
  To: zsh-workers

On Wed, 2020-12-23 at 05:53 +0000, reportyigit46 wrote:
> Hello,
> I can’t get answer from Oliver. Which one can give me answer?

You might want to try zsh-infra@zsh.org which is the small number
of people who have direct responsibility for the zsh site, so
all of necessity trustworthy --- I don't think there's anything
more specific.

pws

> Thank you,
> 
> 
> Açık Paz, Ara 20, 2020 16:46, Jérémie Roquet <jroquet@arkanosis.net> yazdı:
> > Hi,
> > 
> > Le dim. 20 déc. 2020 à 14:13, reportyigit46
> > <reportyigit46@protonmail.com> a écrit :
> > > I want to share security issue. Can you share e-mail of security team ?
> > 
> > If it's a security issue in zsh, you can get in touch with Oliver,
> > Bart, and of course Peter. You might want to cc. Stephane as well, as
> > he's some experience on the matter (eg. Shellshock).
> > 
> > I've put all of them in cc.
> > 
> > Best regards,
> > 
> > --
> > Jérémie
> 
> 



^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-23  5:53   ` Security reportyigit46
  2020-12-23 17:17     ` Security Peter Stephenson
@ 2020-12-23 17:18     ` gi1242+zsh
  2020-12-23 18:50       ` Security reportyigit46
  1 sibling, 1 reply; 14+ messages in thread
From: gi1242+zsh @ 2020-12-23 17:18 UTC (permalink / raw)
  To: reportyigit46; +Cc: zsh-workers

On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:

> I can’t get answer from Oliver. Which one can give me answer?

Just FYI -- if you email the devs and tell them the security issue, I'm
sure they will handle it and respond. (They are responsive to
inconsequential things like color changes; they will certainly respond
to security issues.)

However, if you email them only saying "I have a security issue", they
will likely ignore your message thinking it's spam. I do get one such
email every day telling me my account has been suspended and I need to
respond "urgently". I usually delete such emails, unless it is coming
from an official 100% real Nigerian prince...

GI

-- 
Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
dozen."
The programmer husband returns with 12 loaves of bread.


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-23 17:18     ` Security gi1242+zsh
@ 2020-12-23 18:50       ` reportyigit46
  2020-12-25 16:06         ` Security Daniel Shahaf
  0 siblings, 1 reply; 14+ messages in thread
From: reportyigit46 @ 2020-12-23 18:50 UTC (permalink / raw)
  To: gi1242+zsh; +Cc: zsh-workers

Hello,
Thank you for contacting me. I was sent issue details. But i can't get answer

Thank you,


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, 23 December 2020 20:18, <gi1242+zsh@gmail.com> wrote:

> On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:
>
> > I can’t get answer from Oliver. Which one can give me answer?
>
> Just FYI -- if you email the devs and tell them the security issue, I'm
> sure they will handle it and respond. (They are responsive to
> inconsequential things like color changes; they will certainly respond
> to security issues.)
>
> However, if you email them only saying "I have a security issue", they
> will likely ignore your message thinking it's spam. I do get one such
> email every day telling me my account has been suspended and I need to
> respond "urgently". I usually delete such emails, unless it is coming
> from an official 100% real Nigerian prince...
>
> GI
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
> dozen."
> The programmer husband returns with 12 loaves of bread.




^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-23 18:50       ` Security reportyigit46
@ 2020-12-25 16:06         ` Daniel Shahaf
  2020-12-27 21:48           ` Security Phil Pennock
  0 siblings, 1 reply; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-25 16:06 UTC (permalink / raw)
  To: reportyigit46, gi1242+zsh; +Cc: zsh-workers

Sorry for the delay.  It sounds like you emailed _only_ Oliver, so he
might simply be on holiday.  In any case, to avoid a single point of
failure, please email the details to zsh-infra@zsh.org.  Thanks!

Note to -workers@: Folks who have dealt with previous security issues
(or are otherwise trusted) and aren't already on -infra@ are welcome to
join. Just send a subscription request the usual way.  (And yes,
a separate -security@ list might be a good idea, or at least an alias.)

Cheers,

Daniel

reportyigit46 wrote on Wed, 23 Dec 2020 18:50 +00:00:
> Hello,
> Thank you for contacting me. I was sent issue details. But i can't get answer
> 
> Thank you,
> 
> 
> Sent with ProtonMail Secure Email.
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, 23 December 2020 20:18, <gi1242+zsh@gmail.com> wrote:
> 
> > On Wed, Dec 23, 2020 at 05:53:26AM +0000, reportyigit46 wrote:
> >
> > > I can’t get answer from Oliver. Which one can give me answer?
> >
> > Just FYI -- if you email the devs and tell them the security issue, I'm
> > sure they will handle it and respond. (They are responsive to
> > inconsequential things like color changes; they will certainly respond
> > to security issues.)
> >
> > However, if you email them only saying "I have a security issue", they
> > will likely ignore your message thinking it's spam. I do get one such
> > email every day telling me my account has been suspended and I need to
> > respond "urgently". I usually delete such emails, unless it is coming
> > from an official 100% real Nigerian prince...
> >
> > GI
> >
> > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Wife: "Go to the store and buy a loaf of bread. If they have eggs, buy a
> > dozen."
> > The programmer husband returns with 12 loaves of bread.
> 
> 
> 
>


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-25 16:06         ` Security Daniel Shahaf
@ 2020-12-27 21:48           ` Phil Pennock
  2020-12-27 22:40             ` Security Jérémie Roquet
  2020-12-28 10:50             ` Security Daniel Shahaf
  0 siblings, 2 replies; 14+ messages in thread
From: Phil Pennock @ 2020-12-27 21:48 UTC (permalink / raw)
  To: zsh-workers

On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> Sorry for the delay.  It sounds like you emailed _only_ Oliver, so he
> might simply be on holiday.  In any case, to avoid a single point of
> failure, please email the details to zsh-infra@zsh.org.  Thanks!
> 
> Note to -workers@: Folks who have dealt with previous security issues
> (or are otherwise trusted) and aren't already on -infra@ are welcome to
> join. Just send a subscription request the usual way.  (And yes,
> a separate -security@ list might be a good idea, or at least an alias.)

zsh-security@ now exists, we're kicking the tires.  I set it to
closed-to-new-subscribers, so Daniel might clean up after me and open it
to let people ask in the usual way.  (Sorry, I missed this thread before
and only saw it after closing out the stuff I had open for setup).

The -infra list is intended to be boring.  Several of the people you
want looking at security stuff are not subscribed and probably don't
want the spam of discussions about mailing-list bounce rates,
certificate renewals, etc.

-Phil


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-27 21:48           ` Security Phil Pennock
@ 2020-12-27 22:40             ` Jérémie Roquet
  2020-12-27 23:37               ` Security Phil Pennock
  2020-12-28 10:50             ` Security Daniel Shahaf
  1 sibling, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-27 22:40 UTC (permalink / raw)
  To: Phil Pennock, Daniel Shahaf; +Cc: Zsh Hackers' List

Le dim. 27 déc. 2020 à 22:49, Phil Pennock
<zsh-workers+phil.pennock@spodhuis.org> a écrit :
>
> On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> > a separate -security@ list might be a good idea, or at least an alias.)
>
> zsh-security@ now exists, we're kicking the tires.

Daniel, Phil, would it be possible to advertise for this new list on
the mailing lists page?

  http://zsh.sourceforge.net/Arc/mlist.html

… and maybe set up a security.txt as well?

  https://securitytxt.org/

That's not yet a widely recognized standard, but I believe someone
unfamiliar with a project yet familiar with security would start by
looking there if there's is a contact address.

Thanks!

-- 
Jérémie


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-27 22:40             ` Security Jérémie Roquet
@ 2020-12-27 23:37               ` Phil Pennock
  2020-12-28  0:11                 ` Security Jérémie Roquet
  0 siblings, 1 reply; 14+ messages in thread
From: Phil Pennock @ 2020-12-27 23:37 UTC (permalink / raw)
  To: Jérémie Roquet; +Cc: Daniel Shahaf, Zsh Hackers' List

On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> Daniel, Phil, would it be possible to advertise for this new list on
> the mailing lists page?
> 
>   http://zsh.sourceforge.net/Arc/mlist.html

Oops, thanks.

Theoretically done.  I don't know how much caching there is inside
SourceForge, but the git repo has been updated and the website content
has been rsync'd.

> … and maybe set up a security.txt as well?
> 
>   https://securitytxt.org/
> 
> That's not yet a widely recognized standard, but I believe someone
> unfamiliar with a project yet familiar with security would start by
> looking there if there's is a contact address.

This one is not my call to make.  I like the general idea and use it for
my own site (which ~nobody cares about) but I'm not going to deploy
without other folks mulling it over first.

-Phil


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-27 23:37               ` Security Phil Pennock
@ 2020-12-28  0:11                 ` Jérémie Roquet
  2020-12-28 10:46                   ` Security Daniel Shahaf
  0 siblings, 1 reply; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-28  0:11 UTC (permalink / raw)
  To: Phil Pennock; +Cc: Daniel Shahaf, Zsh Hackers' List

Le lun. 28 déc. 2020 à 00:37, Phil Pennock
<zsh-workers+phil.pennock@spodhuis.org> a écrit :
>
> On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > Daniel, Phil, would it be possible to advertise for this new list on
> > the mailing lists page?
> >
> >   http://zsh.sourceforge.net/Arc/mlist.html
>
> Theoretically done.  I don't know how much caching there is inside
> SourceForge, but the git repo has been updated and the website content
> has been rsync'd.

That's visible for me now. Thank you!

> > … and maybe set up a security.txt as well?
> >
> >   https://securitytxt.org/
> >
> > That's not yet a widely recognized standard, but I believe someone
> > unfamiliar with a project yet familiar with security would start by
> > looking there if there's is a contact address.
>
> This one is not my call to make.  I like the general idea and use it for
> my own site (which ~nobody cares about) but I'm not going to deploy
> without other folks mulling it over first.

That's fair. So, for anyone wondering what this security.txt thing is
about: it's a single file made available at
$DOMAIN/.well-known/security.txt, in which some predefined fields can
/ should be filled in, such as an email address to use to report
security issues. This mostly used to report issues on websites rather
than in software, but I believe it's a place where people into
security will look at anyway if they are trying to find a contact
address (possibly before looking at the website itself). The
specification is intended to become a standard but isn't yet; its
ability to become one is also driven by its adoption, of course (the
usual chicken-and-egg problem).

Thanks again,

-- 
Jérémie


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-28  0:11                 ` Security Jérémie Roquet
@ 2020-12-28 10:46                   ` Daniel Shahaf
  2020-12-28 11:08                     ` Security Jérémie Roquet
  0 siblings, 1 reply; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-28 10:46 UTC (permalink / raw)
  To: Jérémie Roquet; +Cc: Zsh Hackers' List

Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> Le lun. 28 déc. 2020 à 00:37, Phil Pennock
> <zsh-workers+phil.pennock@spodhuis.org> a écrit :
> >
> > On 2020-12-27 at 23:40 +0100, Jérémie Roquet wrote:
> > > Daniel, Phil, would it be possible to advertise for this new list on
> > > the mailing lists page?
> > >
> > >   http://zsh.sourceforge.net/Arc/mlist.html
> >
> > Theoretically done.  I don't know how much caching there is inside
> > SourceForge, but the git repo has been updated and the website content
> > has been rsync'd.
> 
> That's visible for me now. Thank you!
> 
> > > … and maybe set up a security.txt as well?
> > >
> > >   https://securitytxt.org/
> > >
> > > That's not yet a widely recognized standard, but I believe someone
> > > unfamiliar with a project yet familiar with security would start by
> > > looking there if there's is a contact address.
> >
> > This one is not my call to make.  I like the general idea and use it for
> > my own site (which ~nobody cares about) but I'm not going to deploy
> > without other folks mulling it over first.
> 
> That's fair. So, for anyone wondering what this security.txt thing is
> about: it's a single file made available at
> $DOMAIN/.well-known/security.txt, in which some predefined fields can
> / should be filled in, such as an email address to use to report
> security issues. This mostly used to report issues on websites rather
> than in software, but I believe it's a place where people into
> security will look at anyway if they are trying to find a contact
> address (possibly before looking at the website itself). The
> specification is intended to become a standard

Are you sure about this?  The Internet Draft's "Intended status" is
"Informational", as opposed to "Standards track".

> but isn't yet; its ability to become one is also driven by its adoption, of
> course (the usual chicken-and-egg problem).

Cheers,

Daniel


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-27 21:48           ` Security Phil Pennock
  2020-12-27 22:40             ` Security Jérémie Roquet
@ 2020-12-28 10:50             ` Daniel Shahaf
  1 sibling, 0 replies; 14+ messages in thread
From: Daniel Shahaf @ 2020-12-28 10:50 UTC (permalink / raw)
  To: zsh-workers

Phil Pennock wrote on Sun, Dec 27, 2020 at 16:48:54 -0500:
> On 2020-12-25 at 16:06 +0000, Daniel Shahaf wrote:
> > Sorry for the delay.  It sounds like you emailed _only_ Oliver, so he
> > might simply be on holiday.  In any case, to avoid a single point of
> > failure, please email the details to zsh-infra@zsh.org.  Thanks!
> > 
> > Note to -workers@: Folks who have dealt with previous security issues
> > (or are otherwise trusted) and aren't already on -infra@ are welcome to
> > join. Just send a subscription request the usual way.  (And yes,
> > a separate -security@ list might be a good idea, or at least an alias.)
> 
> zsh-security@ now exists, we're kicking the tires.  I set it to
> closed-to-new-subscribers, so Daniel might clean up after me and open it
> to let people ask in the usual way.

I'm perfectly happy to let it stay as "Ask someone to add you manually", for
the time being at least, due to shortage of brainwidth on my end.

> (Sorry, I missed this thread before
> and only saw it after closing out the stuff I had open for setup).
> 
> The -infra list is intended to be boring.  Several of the people you
> want looking at security stuff are not subscribed and probably don't
> want the spam of discussions about mailing-list bounce rates,
> certificate renewals, etc.
> 
> -Phil
> 


^ permalink raw reply	[flat|nested] 14+ messages in thread

* Re: Security
  2020-12-28 10:46                   ` Security Daniel Shahaf
@ 2020-12-28 11:08                     ` Jérémie Roquet
  0 siblings, 0 replies; 14+ messages in thread
From: Jérémie Roquet @ 2020-12-28 11:08 UTC (permalink / raw)
  To: Daniel Shahaf; +Cc: Zsh Hackers' List

Le lun. 28 déc. 2020 à 11:46, Daniel Shahaf <d.s@daniel.shahaf.name> a écrit :
>
> Jérémie Roquet wrote on Mon, Dec 28, 2020 at 01:11:10 +0100:
> > That's fair. So, for anyone wondering what this security.txt thing is
> > […]
> > The specification is intended to become a standard
>
> Are you sure about this?  The Internet Draft's "Intended status" is
> "Informational", as opposed to "Standards track".

Well, I'm not sure, then. The website says “proposed standard”… I
guess it depends on who you ask.

> > but isn't yet; its ability to become one is also driven by its adoption, of
> > course (the usual chicken-and-egg problem).

That's the only thing I'm sure of: it seems rather well received, but
it has yet to see a wider adoption before one can say it's a standard,
hence my note.

Best regards,

-- 
Jérémie


^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2020-12-28 11:09 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-20 13:13 Security reportyigit46
2020-12-20 13:46 ` Security Jérémie Roquet
2020-12-23  5:53   ` Security reportyigit46
2020-12-23 17:17     ` Security Peter Stephenson
2020-12-23 17:18     ` Security gi1242+zsh
2020-12-23 18:50       ` Security reportyigit46
2020-12-25 16:06         ` Security Daniel Shahaf
2020-12-27 21:48           ` Security Phil Pennock
2020-12-27 22:40             ` Security Jérémie Roquet
2020-12-27 23:37               ` Security Phil Pennock
2020-12-28  0:11                 ` Security Jérémie Roquet
2020-12-28 10:46                   ` Security Daniel Shahaf
2020-12-28 11:08                     ` Security Jérémie Roquet
2020-12-28 10:50             ` Security Daniel Shahaf

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).