update vulnerabilities and code-review-guidelines
This commit is contained in:
Joe
parent
fc9edf08ca
commit
007549d6f9
|
|
@ -89,8 +89,8 @@ issue notices, e.g. "Fixes #42353".
|
|||
|
||||
### Special Situations And How To Deal With Them
|
||||
|
||||
As a reviewer, you may find yourself in one of the sitations below. Here's how to deal
|
||||
with those:
|
||||
Reviewers may find themselves in one of the sitations below. Here's how to deal
|
||||
with them:
|
||||
|
||||
* The author doesn't follow up: ping them after a while (i.e. after a few days). If there
|
||||
is no further response, close the PR or complete the work yourself.
|
||||
|
|
@ -100,7 +100,8 @@ with those:
|
|||
submit the refactoring as an independent PR, or at least as an independent commit in the
|
||||
same PR.
|
||||
|
||||
* Author keeps rejecting your feedback: reviewers have authority to reject any change for technical reasons. If you're unsure, ask the team for a second opinion. You may close the PR if no consensus can be reached.
|
||||
* Author keeps rejecting feedback: reviewers have authority to reject any change for technical reasons.
|
||||
If you're unsure, ask the team for a second opinion. The PR can be closed if no consensus can be reached.
|
||||
|
||||
[effgo]: https://golang.org/doc/effective_go.html
|
||||
[revcomment]: https://github.com/golang/go/wiki/CodeReviewComments
|
||||
|
|
|
|||
|
|
@ -3,8 +3,6 @@ title: Vulnerability disclosure
|
|||
sort_key: A
|
||||
---
|
||||
|
||||
## About disclosures
|
||||
|
||||
In the software world, it is expected for security vulnerabilities to be immediately
|
||||
announced, thus giving operators an opportunity to take protective measure against
|
||||
attackers.
|
||||
|
|
@ -12,18 +10,18 @@ attackers.
|
|||
Vulnerabilies typically take two forms:
|
||||
|
||||
1. Vulnerabilies that, if exploited, would harm the software operator. In the case of
|
||||
go-ethereum, examples would be:
|
||||
Geth, examples would be:
|
||||
- A bug that would allow remote reading or writing of OS files, or
|
||||
- Remote command execution, or
|
||||
- Bugs that would leak cryptographic keys
|
||||
2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of
|
||||
go-ethereum, examples would be:
|
||||
Geth, examples would be:
|
||||
- Consensus vulnerabilities, which would cause a chain split,
|
||||
- Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash.
|
||||
- Denial-of-service via p2p networking, whereby portions of the network could be made
|
||||
inaccessible due to crashes or resource consumption.
|
||||
|
||||
In most cases so far, vulnerabilities in `geth` have been of the second type, where the
|
||||
In most cases so far, vulnerabilities in Geth have been of the second type, where the
|
||||
health of the network is a concern, rather than individual node operators. For such
|
||||
issues, we reserve the right to silently patch and ship fixes in new releases.
|
||||
|
||||
|
|
@ -63,18 +61,15 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
|
|||
|
||||
## Disclosed vulnerabilities
|
||||
|
||||
In this folder, you can find a JSON-formatted list
|
||||
([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant
|
||||
vulnerabilities concerning `geth`.
|
||||
On the Geth Github can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json))
|
||||
of some of the known security-relevant vulnerabilities concerning Geth.
|
||||
|
||||
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected
|
||||
by any publically disclosed vulnerability, using the command `geth version-check`. This
|
||||
command will fetch the latest json file (and the accompanying
|
||||
As of version `1.9.25`, Geth has a built-in command to check whether it is affected by any publically disclosed vulnerability,
|
||||
using the command `geth version-check`. This command will fetch the latest json file (and the accompanying
|
||||
[signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own
|
||||
version number.
|
||||
|
||||
The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was
|
||||
started in November 2020, and covers mainly `v1.9.7` and forward.
|
||||
The list of vulnerabilities was started in November 2020, and covers mainly `v1.9.7` and forward.
|
||||
|
||||
The JSON file of known vulnerabilities below is a list of objects, one for each
|
||||
vulnerability, with the following keys:
|
||||
|
|
|
|||
Loading…
Reference in New Issue