-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build,src: add tag/property for security releases #27612
Conversation
Define a new `NODE_VERSION_IS_SECURITY_RELEASE` macro in `src/node_version.h` that indicates if the release is a security release. Update the release documentation. Add a corresponding new property to `process.release` and include it in report and trace events output.
These are the build changes in core required to support nodejs/Release#437. Corresponding changes are required in the tool that builds the index files: nodejs/nodejs-dist-indexer#8 cc @nodejs/security-wg |
Is there a "homolog" of such a flag in other language runtimes? |
☝️ @bnb, as you raised the requirement. |
What does it mean for a This information doesn't relate to a process and it only relates to the codebase in a temporal sense of "this commit is better than an older commit because of I don't mind the idea of being able to report it in index.json/index.tab though. Here's two alternatives:
e.g. from 59 for CVE-2018-12123 "vulnerable": "6 || 8 || 10 || 11",
"patched": "^6.15.0 || ^8.14.0 || ^10.14.0 || ^11.3.0", 6.15.0, 8.14.0, 10.14.0, 11.3.0 are all clearly security releases. The trick is connecting this with the consumer. I've been inclined to say that it's up to consumers to put these pieces together, and ideally downstream packagers and service providers to provide a nice format for it (e.g. Snyk saying "hey, you're running a vulnerable version of Node" by having this information available). It's true that in the past, those vuln/core JSON files haven't been put in place until after releases were out, so it wouldn't have been possible for index.json and index.tab to have accurate information at that moment (it could be made accurate with a later re-run). But maybe that's a matter of process too. |
@rvagg I've just submitted nodejs/nodejs-dist-indexer#9 that does this. If that's the preferred approach we can close this PR and just submit a release docs update to this repository to codify the "This is a security release." in commit message convention. |
I'm -1 on adding a runtime property here because the value is likely limited and there is a non-zero chance of it being used in less-than-desirable ways. |
I share the concerns raised by others, and I am especially concerned that this will be routinely misunderstood as "This process is running in some sort of extra-secure mode" like a jailed process or something. I'm going to go ahead and close this out since it seems like your alternative approach is likely to happen and this is unlikely to happen. If you think I'm acting too soon, by all means, re-open it. (I'm just taking a break from something else to do some traiging/landing for a few minutes, and this is the thing I'm choosing to close out.) |
The release commit message for security releases have conventionally started with the phrase `This is a security release.`. Codify this as part of the release process so that the distribution indexer can use this to detect and mark releases as security releases. Fixes: nodejs/Release#437 Refs: nodejs#27612 (comment) Refs: nodejs/nodejs-dist-indexer#9
No worries. This PR has served it purpose, which was to try to get nodejs/Release#437 moving to some form of resolution. I've opened #27643 as a counterpart to nodejs/nodejs-dist-indexer#9. |
The release commit message for security releases have conventionally started with the phrase `This is a security release.`. Codify this as part of the release process so that the distribution indexer can use this to detect and mark releases as security releases. Fixes: nodejs/Release#437 Refs: nodejs#27612 (comment) Refs: nodejs/nodejs-dist-indexer#9 PR-URL: nodejs#27643 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: Anto Aravinth <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Rich Trott <[email protected]>
The release commit message for security releases have conventionally started with the phrase `This is a security release.`. Codify this as part of the release process so that the distribution indexer can use this to detect and mark releases as security releases. Fixes: nodejs/Release#437 Refs: #27612 (comment) Refs: nodejs/nodejs-dist-indexer#9 PR-URL: #27643 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Beth Griggs <[email protected]> Reviewed-By: Franziska Hinkelmann <[email protected]> Reviewed-By: Anto Aravinth <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Define a new
NODE_VERSION_IS_SECURITY_RELEASE
macro insrc/node_version.h
that indicates if the release is a securityrelease. Update the release documentation.
Add a corresponding new property to
process.release
and includeit in report and trace events output.
Fixes: nodejs/Release#437
cc @nodejs/security-release
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes