update vulnerabilities and code-review-guidelines

This commit is contained in:
Joe 2022-08-02 14:07:22 +01:00
parent fc9edf08ca
commit 007549d6f9
2 changed files with 12 additions and 16 deletions

View File

@ -89,8 +89,8 @@ issue notices, e.g. "Fixes #42353".
### Special Situations And How To Deal With Them
As a reviewer, you may find yourself in one of the sitations below. Here's how to deal
with those:
Reviewers may find themselves in one of the sitations below. Here's how to deal
with them:
* The author doesn't follow up: ping them after a while (i.e. after a few days). If there
is no further response, close the PR or complete the work yourself.
@ -100,7 +100,8 @@ with those:
submit the refactoring as an independent PR, or at least as an independent commit in the
same PR.
* Author keeps rejecting your feedback: reviewers have authority to reject any change for technical reasons. If you're unsure, ask the team for a second opinion. You may close the PR if no consensus can be reached.
* Author keeps rejecting feedback: reviewers have authority to reject any change for technical reasons.
If you're unsure, ask the team for a second opinion. The PR can be closed if no consensus can be reached.
[effgo]: https://golang.org/doc/effective_go.html
[revcomment]: https://github.com/golang/go/wiki/CodeReviewComments

View File

@ -3,8 +3,6 @@ title: Vulnerability disclosure
sort_key: A
---
## About disclosures
In the software world, it is expected for security vulnerabilities to be immediately
announced, thus giving operators an opportunity to take protective measure against
attackers.
@ -12,18 +10,18 @@ attackers.
Vulnerabilies typically take two forms:
1. Vulnerabilies that, if exploited, would harm the software operator. In the case of
go-ethereum, examples would be:
Geth, examples would be:
- A bug that would allow remote reading or writing of OS files, or
- Remote command execution, or
- Bugs that would leak cryptographic keys
2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of
go-ethereum, examples would be:
Geth, examples would be:
- Consensus vulnerabilities, which would cause a chain split,
- Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash.
- Denial-of-service via p2p networking, whereby portions of the network could be made
inaccessible due to crashes or resource consumption.
In most cases so far, vulnerabilities in `geth` have been of the second type, where the
In most cases so far, vulnerabilities in Geth have been of the second type, where the
health of the network is a concern, rather than individual node operators. For such
issues, we reserve the right to silently patch and ship fixes in new releases.
@ -63,18 +61,15 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
## Disclosed vulnerabilities
In this folder, you can find a JSON-formatted list
([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant
vulnerabilities concerning `geth`.
On the Geth Github can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json))
of some of the known security-relevant vulnerabilities concerning Geth.
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected
by any publically disclosed vulnerability, using the command `geth version-check`. This
command will fetch the latest json file (and the accompanying
As of version `1.9.25`, Geth has a built-in command to check whether it is affected by any publically disclosed vulnerability,
using the command `geth version-check`. This command will fetch the latest json file (and the accompanying
[signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own
version number.
The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was
started in November 2020, and covers mainly `v1.9.7` and forward.
The list of vulnerabilities was started in November 2020, and covers mainly `v1.9.7` and forward.
The JSON file of known vulnerabilities below is a list of objects, one for each
vulnerability, with the following keys: