Firejail: security issues disclosure

Created on 20 May 2016  路  18Comments  路  Source: netblue30/firejail

There is currently no official way to disclose security issues in firejail. Since firejail is SUID and is a security tool, a disclosure channel might become very appropriate in time.

The goal of a security disclosure channel is to make fixing patches closer in time to deployment time. (By removing the gap where an issue is publicly known but no patch exist yet.)

Example solution:
an official email and GPG public key so that people can send encrypted mails.

picture vn971

Most helpful comment

found the ugliest bug so far

Just take a look in the README file :)

picture netblue30 on 7 Aug 2016
🎉1 😄1

All 18 comments

Send an email to [email protected] , no GPG, just keep it simple. Maybe I can open an email list where I disclose important security fixes so people can update the software.

netblue30 picture netblue30 on 20 May 2016

For the time being, OK. If firejail grows, I'd still advise to use GPG. It's the "Enigmail" plugin if you use thunderbird, for example.

Anyway, closing the ticket for now.

vn971 picture vn971 on 20 May 2016

"Firejail-security mailing list" sounds good, especially if it's not a google one.

vn971 picture vn971 on 20 May 2016

Can you suggest a mailing list? The only one I used so far was google.

netblue30 picture netblue30 on 23 May 2016

Sourceforge has mailing lists. But I guess you no longer want to use it.

reinerh picture reinerh on 23 May 2016

For sure I can use it, it is already there, I just have to enable it. Thanks.

netblue30 picture netblue30 on 23 May 2016

Offtopic: I did send a report to the official mail address, the same day this issue was opened.

vn971 picture vn971 on 23 May 2016

Note that "disclosure" and "news announcement" are very different things.
I wanted to address "disclosure" in this issue, meaning letting the main developer know about issues (but not letting others know, yet).

vn971 picture vn971 on 23 May 2016

there is no need for mailing lists and forums. we have the issues tracker here.

e-mail cryptography is important and it would be good to have your setup ready for it. you will still be able to receive non-encrypted e-mails. read this for a quick start.

in the 'release notes' we will learn about solved security problems.

requiredregistration picture requiredregistration on 23 May 2016
👍1

@netblue30 any updates on the security issue I wrote to [email protected] ?
I've had some inconveniences because of this today, will be happy to hear any news. Did you get the e-mail / acknowledged what I write?

vn971 picture vn971 on 2 Aug 2016

OOPS! I've just found it, sorry for that. The message is form May 20, with ~/deletme. Is this right?

netblue30 picture netblue30 on 3 Aug 2016

@netblue30 Yup, that's the one. ("deleteme".)

vn971 picture vn971 on 3 Aug 2016

I have no idea how I managed to miss it, I'll bring in a fix shortly, thanks!

netblue30 picture netblue30 on 3 Aug 2016

@netblue30 no problem. I guess you have lots of tickets/comments each weak. Will be waiting, thanks.

vn971 picture vn971 on 4 Aug 2016

Fixed. It was the ugliest bug so far, thanks!

netblue30 picture netblue30 on 5 Aug 2016

@netblue30 hey, I want a badge then: "found the ugliest bug so far". Just kiddin.:)
Thanks!

vn971 picture vn971 on 5 Aug 2016

Or maybe "mails a new issue every friday". (I've created one other now.)

vn971 picture vn971 on 5 Aug 2016

found the ugliest bug so far

Just take a look in the README file :)

netblue30 picture netblue30 on 7 Aug 2016
🎉1 😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fl-chris picture fl-chris  路  4Comments
yourcelf picture yourcelf  路  4Comments
Fincer picture Fincer  路  4Comments
ghost picture ghost  路  3Comments
polyzen picture polyzen  路  4Comments