[tor-bugs] #2671 [Company]: Better communication for authority operators, core developers in emergency situations

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Apr 27 20:00:16 UTC 2011 

#2671: Better communication for authority operators, core developers in emergency
situations
---------------------+------------------------------------------------------
 Reporter:  nickm    |          Owner:  nickm   
     Type:  task     |         Status:  assigned
 Priority:  normal   |      Milestone:          
Component:  Company  |        Version:          
 Keywords:           |         Parent:  #2664   
   Points:           |   Actualpoints:          
---------------------+------------------------------------------------------

Comment(by nickm):

 Revised plan:

 Here's the part that's basically done:

 - Let's have a broad security team comprising Tor developers that Tor pays
 and volunteers whom we trust who seem to be helpful with security.
 - To be on the secteam, Nick and Roger must agree that you should be on
 the secteam.  You need to agree to practice basic data hygiene, follow
 responsible-disclosure practices with all Tor-related vulnerabilities you
 find, and help with resolving security issues.  For now we are only taking
 volunteers whom one of us has met, and who have worked on fixing security
 issues in Tor in the past.  Once we get up to speed we might expand this.
 - Let's have that team, and that team only, have access to a separate Git
 repository for discussing and sharing work on undisclosed vulnerabilities.
 - ALL DISCUSSIONS OF EACH ISSUE SHOULD BE MADE PUBLIC WHEN WE PATCH AND
 ANNOUNCE. We should use this as a means to become more transparent in how
 we handle vulnerability reports.
 - There should be a GPG key that only a couple people have that is the
 official way for people without access to the git repo to report new
 vulnerabilities, and an official email address for it.
 - We should make sure that when people report stuff, we stay in touch with
 them to let them know our progress. Else they tend to get angry and
 disillusioned, I hear.


 We have not decided about :

 - This git repository should probably notify team members of new commits
 somehow.   It should either use pgp-enrypted mail, or give a notification
 only saying "There was a commit by personname".  (Branch names and file
 names are not a great thing to leak.)
 - If there should be some kind of encrypted mailing list for the whole
 team.  I am leaning to no.
 - How best to actually do stuff in the repo
 - Where to publish resolved issues, on what schedule.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2671#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list