[tor-bugs] #2671 [Company]: Better communication for authority operators, core developers in emergency situations

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Tue Apr 26 02:10:05 UTC 2011 

#2671: Better communication for authority operators, core developers in emergency
situations
---------------------+------------------------------------------------------
 Reporter:  nickm    |          Owner:  nickm   
     Type:  task     |         Status:  assigned
 Priority:  normal   |      Milestone:          
Component:  Company  |        Version:          
 Keywords:           |         Parent:  #2664   
   Points:           |   Actualpoints:          
---------------------+------------------------------------------------------
Changes (by nickm):

  * owner:  => nickm


Comment:

 So for handling vulnerabilities, let me summarize what I think after
 talking with arma today, and hearing about what some other projects do.

 - Let's have a broad security team comprising Tor developers that Tor pays
 and volunteers whom we trust who seem to be helpful with security.
 - Let's have that team, and that team only, have access to a separate svn
 repository for discussing and sharing work on undisclosed vulnerabilities.
 - There should be a GPG key that only a couple people have that is the
 official way for people without access to the svn repo to report new
 vulnerabilities.
 - We should make sure that when people report stuff, we stay in touch with
 them to let them know our progress.  Else they tend to get angry and
 disillusioned, I hear.
 - This SVN repository should send a minimal email to the team only on
 commits: either encrypted to a pgp key, or giving only a notification that
 there were commits (maybe a filename?)
 - If we want to have discussions about stuff, we can do it via the svn
 repo or via email.  Email should cc the entire security team, using gpg.
 We can have a regularly rotated key that the security team shares (if
 we're lazy) or a carefully cross-signed set of keys that everybody
 remembers to encrypt every message to before sending it to the list (if
 we're brave.)
 - ALL DISCUSSIONS OF EACH ISSUE SHOULD BE MADE PUBLIC WHEN WE PATCH AND
 ANNOUNCE.  We should use this as a means to become more transparent in how
 we handle vulnerability reports.

 Thoughts?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2671#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list