Import an old Wasmtime security advisory #2254
Conversation
[Wasmtime] recently got a [request] to have our security advisories published on the RustSec database as well. We've got a few old advisories on here but we haven't been keeping up-to-date with later advisories. In lieu of automatic imports from GitHub to RustSec we figured we'd in the interim manually fill in some fields. In this PR I'm filing a security advisory for [GHSA-88xq-w8cq-xfg7] which is a 3-year-old advisory at this point. This is to serve as an example for future imports of Wasmtime advisories so my hope is to get everything ok, copy this behavior for our other advisories that aren't listed in RustSec, and then applying this process to future advisories. [Wasmtime]: https://crates.io/crates/wasmtime [request]: bytecodealliance/wasmtime#10344 [GHSA-88xq-w8cq-xfg7]: GHSA-88xq-w8cq-xfg7
|
For maintainers here, two questions:
|
| This is an entry in the RustSec database for the Wasmtime security advisory | ||
| located at | ||
| https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-88xq-w8cq-xfg7. | ||
| For more information see the GitHub-hosted security advisory. |
There was a problem hiding this comment.
@peterhuene, can you release the copyright on the GHSA text here?
There was a problem hiding this comment.
Hi @riking. What is the process to do that? If all that is required is a comment stating I release any and all copyright on the text of the advisory, I do so herein.
If there's something more formal required, please let me know.
There was a problem hiding this comment.
Yup, that's good. The Rustsec advisory DB is CC-0, so any imports from GHSA need separate copyright releases. @alexcrichton, ideally you can get that release before submitting the PR :)
|
IMO (as a recently joined maintainer):
We don't need a PR-per-advisory, I'm fine with adding many of these in the same PR or even in the same commit.
I think that's probably okay, as long as there's a decent title summarizing the issue. I'd suggest reducing the boilerplate:
Maybe like:
|
@alexcrichton you can submit several advisories in a single PR, and the ID assigner will make a single PR to assign them all incrementing IDs |
Wasmtime recently got a request to have our security advisories published on the RustSec database as well. We've got a few old advisories on here but we haven't been keeping up-to-date with later advisories. In lieu of automatic imports from GitHub to RustSec we figured we'd in the interim manually fill in some fields.
In this PR I'm filing a security advisory for GHSA-88xq-w8cq-xfg7 which is a 3-year-old advisory at this point. This is to serve as an example for future imports of Wasmtime advisories so my hope is to get everything ok, copy this behavior for our other advisories that aren't listed in RustSec, and then applying this process to future advisories.