From 007549d6f9514db4096e13a6ad10f745647b6c56 Mon Sep 17 00:00:00 2001 From: Joe Date: Tue, 2 Aug 2022 14:07:22 +0100 Subject: [PATCH] update vulnerabilities and code-review-guidelines --- .../geth-developer/code-review-guidelines.md | 7 ++++--- .../geth-developer/vulnerabilities.md | 21 +++++++------------ 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/content/docs/developers/geth-developer/code-review-guidelines.md b/content/docs/developers/geth-developer/code-review-guidelines.md index e19da73f90..bdb4e12ab7 100644 --- a/content/docs/developers/geth-developer/code-review-guidelines.md +++ b/content/docs/developers/geth-developer/code-review-guidelines.md @@ -89,8 +89,8 @@ issue notices, e.g. "Fixes #42353". ### Special Situations And How To Deal With Them -As a reviewer, you may find yourself in one of the sitations below. Here's how to deal -with those: +Reviewers may find themselves in one of the sitations below. Here's how to deal +with them: * The author doesn't follow up: ping them after a while (i.e. after a few days). If there is no further response, close the PR or complete the work yourself. @@ -100,7 +100,8 @@ with those: submit the refactoring as an independent PR, or at least as an independent commit in the same PR. -* Author keeps rejecting your feedback: reviewers have authority to reject any change for technical reasons. If you're unsure, ask the team for a second opinion. You may close the PR if no consensus can be reached. +* Author keeps rejecting feedback: reviewers have authority to reject any change for technical reasons. +If you're unsure, ask the team for a second opinion. The PR can be closed if no consensus can be reached. [effgo]: https://golang.org/doc/effective_go.html [revcomment]: https://github.com/golang/go/wiki/CodeReviewComments diff --git a/content/docs/developers/geth-developer/vulnerabilities.md b/content/docs/developers/geth-developer/vulnerabilities.md index 07d7baf86d..05165b4be9 100644 --- a/content/docs/developers/geth-developer/vulnerabilities.md +++ b/content/docs/developers/geth-developer/vulnerabilities.md @@ -3,8 +3,6 @@ title: Vulnerability disclosure sort_key: A --- -## About disclosures - In the software world, it is expected for security vulnerabilities to be immediately announced, thus giving operators an opportunity to take protective measure against attackers. @@ -12,18 +10,18 @@ attackers. Vulnerabilies typically take two forms: 1. Vulnerabilies that, if exploited, would harm the software operator. In the case of - go-ethereum, examples would be: + Geth, examples would be: - A bug that would allow remote reading or writing of OS files, or - Remote command execution, or - Bugs that would leak cryptographic keys 2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of - go-ethereum, examples would be: + Geth, examples would be: - Consensus vulnerabilities, which would cause a chain split, - Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash. - Denial-of-service via p2p networking, whereby portions of the network could be made inaccessible due to crashes or resource consumption. -In most cases so far, vulnerabilities in `geth` have been of the second type, where the +In most cases so far, vulnerabilities in Geth have been of the second type, where the health of the network is a concern, rather than individual node operators. For such issues, we reserve the right to silently patch and ship fixes in new releases. @@ -63,18 +61,15 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo ## Disclosed vulnerabilities -In this folder, you can find a JSON-formatted list -([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant -vulnerabilities concerning `geth`. +On the Geth Github can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json)) +of some of the known security-relevant vulnerabilities concerning Geth. -As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected -by any publically disclosed vulnerability, using the command `geth version-check`. This -command will fetch the latest json file (and the accompanying +As of version `1.9.25`, Geth has a built-in command to check whether it is affected by any publically disclosed vulnerability, +using the command `geth version-check`. This command will fetch the latest json file (and the accompanying [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own version number. -The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was -started in November 2020, and covers mainly `v1.9.7` and forward. +The list of vulnerabilities was started in November 2020, and covers mainly `v1.9.7` and forward. The JSON file of known vulnerabilities below is a list of objects, one for each vulnerability, with the following keys: