interesting
/
go-ethereum
mirror of https://github.com/ethereum/go-ethereum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

update vulnerabilities and code-review-guidelines

This commit is contained in:
Joe 2022-08-02 14:07:22 +01:00
parent fc9edf08ca
commit 007549d6f9
2 changed files with 12 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
content/docs/developers/geth-developer/code-review-guidelines.md
View File

@ -89,8 +89,8 @@ issue notices, e.g. "Fixes #42353".
### Special Situations And How To Deal With Them ### Special Situations And How To Deal With Them
As a reviewer, you may find yourself in one of the sitations below. Here's how to deal Reviewers may find themselves in one of the sitations below. Here's how to deal
with those: with them:
* The author doesn't follow up: ping them after a while (i.e. after a few days). If there * The author doesn't follow up: ping them after a while (i.e. after a few days). If there
is no further response, close the PR or complete the work yourself. is no further response, close the PR or complete the work yourself.
@ -100,7 +100,8 @@ with those:
submit the refactoring as an independent PR, or at least as an independent commit in the submit the refactoring as an independent PR, or at least as an independent commit in the
same PR. same PR.
* Author keeps rejecting your feedback: reviewers have authority to reject any change for technical reasons. If you're unsure, ask the team for a second opinion. You may close the PR if no consensus can be reached. * Author keeps rejecting feedback: reviewers have authority to reject any change for technical reasons.
If you're unsure, ask the team for a second opinion. The PR can be closed if no consensus can be reached.
[effgo]: https://golang.org/doc/effective_go.html [effgo]: https://golang.org/doc/effective_go.html
[revcomment]: https://github.com/golang/go/wiki/CodeReviewComments [revcomment]: https://github.com/golang/go/wiki/CodeReviewComments

21
content/docs/developers/geth-developer/vulnerabilities.md
View File

@ -3,8 +3,6 @@ title: Vulnerability disclosure
sort_key: A sort_key: A
--- ---
## About disclosures
In the software world, it is expected for security vulnerabilities to be immediately In the software world, it is expected for security vulnerabilities to be immediately
announced, thus giving operators an opportunity to take protective measure against announced, thus giving operators an opportunity to take protective measure against
attackers. attackers.
@ -12,18 +10,18 @@ attackers.
Vulnerabilies typically take two forms: Vulnerabilies typically take two forms:
1. Vulnerabilies that, if exploited, would harm the software operator. In the case of 1. Vulnerabilies that, if exploited, would harm the software operator. In the case of
go-ethereum, examples would be: Geth, examples would be:
- A bug that would allow remote reading or writing of OS files, or - A bug that would allow remote reading or writing of OS files, or
- Remote command execution, or - Remote command execution, or
- Bugs that would leak cryptographic keys - Bugs that would leak cryptographic keys
2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of 2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of
go-ethereum, examples would be: Geth, examples would be:
- Consensus vulnerabilities, which would cause a chain split, - Consensus vulnerabilities, which would cause a chain split,
- Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash. - Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash.
- Denial-of-service via p2p networking, whereby portions of the network could be made - Denial-of-service via p2p networking, whereby portions of the network could be made
inaccessible due to crashes or resource consumption. inaccessible due to crashes or resource consumption.
In most cases so far, vulnerabilities in `geth` have been of the second type, where the In most cases so far, vulnerabilities in Geth have been of the second type, where the
health of the network is a concern, rather than individual node operators. For such health of the network is a concern, rather than individual node operators. For such
issues, we reserve the right to silently patch and ship fixes in new releases. issues, we reserve the right to silently patch and ship fixes in new releases.
@ -63,18 +61,15 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
## Disclosed vulnerabilities ## Disclosed vulnerabilities
In this folder, you can find a JSON-formatted list On the Geth Github can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json))
([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant of some of the known security-relevant vulnerabilities concerning Geth.
vulnerabilities concerning `geth`.
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected As of version `1.9.25`, Geth has a built-in command to check whether it is affected by any publically disclosed vulnerability,
by any publically disclosed vulnerability, using the command `geth version-check`. This using the command `geth version-check`. This command will fetch the latest json file (and the accompanying
command will fetch the latest json file (and the accompanying
[signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own [signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own
version number. version number.
The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was The list of vulnerabilities was started in November 2020, and covers mainly `v1.9.7` and forward.
started in November 2020, and covers mainly `v1.9.7` and forward.
The JSON file of known vulnerabilities below is a list of objects, one for each The JSON file of known vulnerabilities below is a list of objects, one for each
vulnerability, with the following keys: vulnerability, with the following keys: