Archived
15
23
Fork
You've already forked meta
6

[AGREEMENT] gusted application to the security team #142

Closed
opened 2023年01月30日 19:05:54 +01:00 by Gusted · 1 comment

Application

I propose to be accountable for the Forgejo security and become part of the the security team.

  1. If you agree, please simply add a 👍 to this issue.
  2. If you disagree or have reservations, please write them down here, in a comment.

This application follows the Forgejo decision making process. It is still new: do not hesitate to voice any concern you may have.

Pledge

I pledge to read and respond in a timely manner to mails sent to security@forgejo.org.

I pledge to follow the principles of Coordinated vulnerability disclosure.

Background

I'm by no means a security professional and I don't have any formal education w.r.t. computer science, security or cryptography. But I am a Go developer with two years of experience and one and a half years of experience with the Forgejo/Gitea codebase.

I have previously been on the Gitea security team, where I fixed reported security exploits and simultaneously found several of them myself. While being on the temporary Forgejo security team, I have verified that Forgejo/Gitea were vulnerable to the two CVEs in Git and have realized (through a bug report) that certain email behavior could be exploited, for which I created a patch that was later upstreamed and caused a security release.

The security-related PRs that I have authored:

Security bug that I reported and provided a patch for:

### Application I propose to be accountable for the Forgejo security and become part of the [the security team](https://codeberg.org/forgejo/meta/src/branch/readme/TEAMS.md#security). 1. If you agree, please simply add a 👍 to this issue. 2. If you disagree or have reservations, please write them down here, in a comment. This application follows the Forgejo [decision making process](https://codeberg.org/forgejo/meta/src/branch/readme/DECISION-MAKING.md). It is still new: do not hesitate to voice any concern you may have. ### Pledge I pledge to read and respond in a timely manner to mails sent to `security@forgejo.org`. I pledge to follow the principles of [Coordinated vulnerability disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure). ### Background I'm by no means a security professional and I don't have any formal education w.r.t. computer science, security or cryptography. But I am a Go developer with two years of experience and one and a half years of experience with the Forgejo/Gitea codebase. I have previously been on the Gitea security team, where I fixed reported security exploits and simultaneously found several of them myself. While being on the temporary Forgejo security team, I have verified that Forgejo/Gitea were vulnerable to the two CVEs in Git and have realized (through a bug report) that certain email behavior could be exploited, for which I created a patch that was later upstreamed and caused a security release. The security-related PRs that I have authored: - https://github.com/go-gitea/gitea/pull/18359 - https://github.com/go-gitea/gitea/pull/17666 - https://github.com/go-gitea/gitea/pull/20133 - https://github.com/go-gitea/gitea/pull/20332 Security bug that I reported and provided a patch for: - https://github.com/go-gitea/gitea/pull/22566

Closed by #174

Closed by https://codeberg.org/forgejo/meta/pulls/174
Commenting is not possible because the repository is archived.
No Branch/Tag specified
readme
No results found.
Labels
Clear labels
[Decision] Building proposal(s)
We're in a decision-making process, buiding one or more proposals to address the shared aim based on the criteria
[Decision] Gathering criteria
We're in a decision-making process, gathering criteria, considerations and needs
[Decision] Integrating concerns
We're in a decision-making process, working with a proposal, trying to integrate concerns and create modifications/support such that the proposal works for everyone
Accessibility
Relates to Accessibility (a11y) of product, project and process.
Agreement proposal
Forgejo agreement proposal, following a discussion
Communication
Relates to all channels, social media, website, blog posts.
Election
Process of appointing a person into a role or team (if choosing people just for a specific one-time task, use the Entrustment label)
Entrustment
Process of choosing/approving specific people to do a critical/high-impact one-time task (if choosing people for an ongoing role/team, use the Election label)
Governance
Relates to processes, procedures and decision-making.
Meeting
An upcoming team meeting
User research - Accessibility
Requires input about accessibility features, likely involves user testing.
User research - Blocked
Do not pick as-is! We are happy if you can help, but please coordinate with ongoing redesign in this area.
User research - Community
Community features, such as discovering other people's work or otherwise feeling welcome on a Forgejo instance.
User research - Config (instance)
Instance-wide configuration, authentication and other admin-only needs.
User research - Errors
How to deal with errors in the application and write helpful error messages.
User research - Filters
How filter and search is being worked with.
User research - Future backlog
The issue might be inspiring for future design work.
User research - Git workflow
AGit, fork-based and new Git workflow, PR creation etc
User research - Labels
Active research about Labels
User research - Moderation
Moderation Featuers for Admins are undergoing active User Research
User research - Needs input
Use this label to let the User Research team know their input is requested.
User research - Notifications/Dashboard
Research on how users should know what to do next.
User research - Rendering
Text rendering, markup languages etc
User research - Repo creation
Active research about the New Repo dialog.
User research - Repo units
The repo sections, disabling them and the "Add more" button.
User research - Security
User research - Settings (in-app)
How to structure in-app settings in the future?
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo/meta#142
Reference in a new issue
forgejo/meta
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?