mirror
/
go-ethereum
mirror of https://github.com/ethereum/go-ethereum
2
0
Fork 1
Code Issues Releases Wiki Activity

update vulnerabilities and code-review-guidelines

Browse Source
pull/26459/head^2
Joe 2 years ago
parent fc9edf08ca
commit 007549d6f9
2 changed files with 12 additions and 16 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 7
      content/docs/developers/geth-developer/code-review-guidelines.md
  2. 21
      content/docs/developers/geth-developer/vulnerabilities.md

7
content/docs/developers/geth-developer/code-review-guidelines.md
Unescape View File

@ -89,8 +89,8 @@ issue notices, e.g. "Fixes #42353".
### Special Situations And How To Deal With Them
As a reviewer, you may find yourself in one of the sitations below. Here's how to deal
with those:
Reviewers may find themselves in one of the sitations below. Here's how to deal
with them:
* The author doesn't follow up: ping them after a while (i.e. after a few days). If there
is no further response, close the PR or complete the work yourself.
@ -100,7 +100,8 @@ with those:
submit the refactoring as an independent PR, or at least as an independent commit in the
same PR.
* Author keeps rejecting your feedback: reviewers have authority to reject any change for technical reasons. If you're unsure, ask the team for a second opinion. You may close the PR if no consensus can be reached.
* Author keeps rejecting feedback: reviewers have authority to reject any change for technical reasons.
If you're unsure, ask the team for a second opinion. The PR can be closed if no consensus can be reached.
[effgo]: https://golang.org/doc/effective_go.html
[revcomment]: https://github.com/golang/go/wiki/CodeReviewComments

21
content/docs/developers/geth-developer/vulnerabilities.md
Unescape View File

@ -3,8 +3,6 @@ title: Vulnerability disclosure
sort_key: A
---
## About disclosures
In the software world, it is expected for security vulnerabilities to be immediately
announced, thus giving operators an opportunity to take protective measure against
attackers.
@ -12,18 +10,18 @@ attackers.
Vulnerabilies typically take two forms:
1. Vulnerabilies that, if exploited, would harm the software operator. In the case of
go-ethereum, examples would be:
Geth, examples would be:
- A bug that would allow remote reading or writing of OS files, or
- Remote command execution, or
- Bugs that would leak cryptographic keys
2. Vulnerabilies that, if exploited, would harm the Ethereum mainnet. In the case of
go-ethereum, examples would be:
Geth, examples would be:
- Consensus vulnerabilities, which would cause a chain split,
- Denial-of-service during block processing, whereby a malicious transaction could cause the geth-portion of the network to crash.
- Denial-of-service via p2p networking, whereby portions of the network could be made
inaccessible due to crashes or resource consumption.
In most cases so far, vulnerabilities in `geth` have been of the second type, where the
In most cases so far, vulnerabilities in Geth have been of the second type, where the
health of the network is a concern, rather than individual node operators. For such
issues, we reserve the right to silently patch and ship fixes in new releases.
@ -63,18 +61,15 @@ In keeping with this policy, we have taken inspiration from [Solidity bug disclo
## Disclosed vulnerabilities
In this folder, you can find a JSON-formatted list
([`vulnerabilities.json`](vulnerabilities.json)) of some of the known security-relevant
vulnerabilities concerning `geth`.
On the Geth Github can find a JSON-formatted list ([`vulnerabilities.json`](vulnerabilities.json))
of some of the known security-relevant vulnerabilities concerning Geth.
As of `geth` version `1.9.25`, geth has a built-in command to check whether it is affected
by any publically disclosed vulnerability, using the command `geth version-check`. This
command will fetch the latest json file (and the accompanying
As of version `1.9.25`, Geth has a built-in command to check whether it is affected by any publically disclosed vulnerability,
using the command `geth version-check`. This command will fetch the latest json file (and the accompanying
[signature-file](vulnerabilities.json.minisig), and cross-check the data against it's own
version number.
The file itself is hosted in the Github repository, on the `gh-pages`-branch. The list was
started in November 2020, and covers mainly `v1.9.7` and forward.
The list of vulnerabilities was started in November 2020, and covers mainly `v1.9.7` and forward.
The JSON file of known vulnerabilities below is a list of objects, one for each
vulnerability, with the following keys:

Write Preview
Loading…
Cancel
Save