Skip to content

[golang] restrict access to golang issues #11663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 5, 2024
Merged

[golang] restrict access to golang issues #11663

merged 1 commit into from
Mar 5, 2024

Conversation

@rolandshoemaker
Copy link
Contributor

@rolandshoemaker rolandshoemaker commented Mar 4, 2024

We've had multiple security reports originating from crashes discovered by oss-fuzz. I was unaware that the results were entirely public.

Restrict access to issues to the Go Security team.

Note: It's unclear to me if this actually accomplishes what I want. view_restrictions seems entirely undocumented. From contextual clues from other projects it seems that removing the field causes restriction, but that is entirely a guess.

@github-actions
Copy link

github-actions bot commented Mar 4, 2024

rolandshoemaker is a new contributor to projects/golang. The PR must be approved by known contributors before it can be merged. The past contributors are: catenacyber

DavidKorczynski
DavidKorczynski reviewed Mar 4, 2024
View reviewed changes
Copy link
Collaborator

@DavidKorczynski DavidKorczynski left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm @AdamKorcz shouldn't be on the list? He was added to provide support for golang fuzzing (done a lot https://github.com/google/oss-fuzz/commits/master/projects/golang) a couple of years ago #5617 and I assume in order to keep this maintained and perhaps expanded it's good to keep @AdamKorcz on the list -- I think he may have submitted some of the reports you mention?

view_restrictions will do such that Monorail issues will no longer be public when issues are found. It was set to this from the start of this integration: #2188 (comment)

@rolandshoemaker
Copy link
Contributor Author

rolandshoemaker commented Mar 4, 2024

I'm not strictly opposed to leaving Adam on the list, with the understanding that we wish to restrict these issues because we believe they may have security impact per the Go Security policy and should not be disclosed publicly until we've decided they do not and/or are fixed.

If they are okay with informal handshake agreement as such I can put them back in.

@AdamKorcz
Copy link
Collaborator

AdamKorcz commented Mar 4, 2024

If they are okay with informal handshake agreement as such I can put them back in.

I am more than happy to stay on the list.

@DavidKorczynski
Copy link
Collaborator

DavidKorczynski commented Mar 4, 2024

should not be disclosed publicly until we've decided they do not and/or are fixed.

For reference, all projects on OSS-Fuzz are subject to https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/

@rolandshoemaker
[golang] restrict access to golang issues
460710a 
We've had multiple security reports originating from crashes discovered
by oss-fuzz. I was unaware that the results were entirely public.

Restrict access to issues to the Go Security team.
@rolandshoemaker
Copy link
Contributor Author

rolandshoemaker commented Mar 4, 2024

👍 updated.

@DavidKorczynski
Copy link
Collaborator

DavidKorczynski commented Mar 4, 2024

Build is failing but is not due to this PR

@rolandshoemaker
Copy link
Contributor Author

rolandshoemaker commented Mar 4, 2024

#11665 should fix the build.

@DavidKorczynski DavidKorczynski merged commit dbba35d into google:master Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavidKorczynski DavidKorczynski DavidKorczynski approved these changes

@AdamKorcz AdamKorcz AdamKorcz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rolandshoemaker @AdamKorcz @DavidKorczynski