Security Disclosures

Sean Farley sean at farley.io
Thu Dec 7 18:58:53 EST 2017


Steering committee (and others that might have better ideas than I):

It was brought to my attention by our security team of how embarrassing
it is to report a security bug to Mercurial. For our last security bug,
I must agree we really bumbled it.

In particular, a user reported this security bug to hg:
https://bz.mercurial-scm.org/show_bug.cgi?id=5730

Due to the way we have our bugzilla instance setup, it immediately got
sent to our mail list for all the public to see which is unfortunate but
not much to do now.

I was a bit shocked at how hard it is to find
security at mercurial-scm.org:

1) nowhere on our bugzilla instance does it mention the security email
(we should probably make it clear that every bug is public as well)

2) google is no help either:
https://www.google.com/search?client=safari&rls=en&q=mercurial+security&ie=UTF-8&oe=UTF-8

https://www.google.com/search?q=mercurial+report+a+security+flaw&oq=mercurial+report+a+security+flaw&aqs=chrome..69i57.3535j0j7&sourceid=chrome&ie=UTF-8

(1) should be fairly easy to fix. Perhaps even have a security category
that goes to security at mercurial? No idea how difficult that is.

There is further criticism about not following our own process as well:

https://www.mercurial-scm.org/wiki/SecurityDisclosureProcess

Specifically, point number three. It's important to have this CVE as
distributions (and customers) sometimes only update when there is a CVE.
I think following our own guidelines and improving the reporting is
fairly important.

I'll follow-up if there are any more formal complaints.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20171207/54a5a14f/attachment.sig>


More information about the Mercurial-devel mailing list