Tiny Tiny RSS: Community

Best way to get security related announcements


#1

Hi,

I would like to be up-to-date with security announcements regarding tt-rss to be able to patch/update my own tt-rss instance in a timely manner (it’s not updated regularly as long as it works as expected). Unfortunately, I wasn’t able to find any security related (or any other new “versions” related) mailing list or something similar.

What is the best way get know about (potential) security issues?

Marcin


RSS feed of master commits?
#2

unless you volunteer to maintain something like that i can only suggest keeping up on commit messages


#3

Do the commit messages related to security issues contain any particular “keyword” (such as [SECURITY]) which could be used to automatically detect them?


#4

not really, you’ll have to use your brain i’m afraid.

good news is in the last 10 years i can remember maybe two security-related commits so it’s not that bad (so far, anyway).


#5

Glad to hear (about just around two cases).

Assuming that scale of security related issues maybe it would be possible to ask you to put short message (such as “do upgrade immediately”) in a subcategory “security announcements” in the current forum when (accidentally) it would happen again? It should be just ~2 minutes of your time per (hypothetical) incident. WDYT?

Having that category created in advance people could subscribe to it using native Discourse mechanisms and get email (or any other) notification.


#6

I’d suggest either subscribing to the repo’s feed (updating 12 hours - 1 day)… or what I do: a cron job that does a git remote update on the production checkout, checks if there’s any new commits, then mails the output to me. Then I can see in my email if there’s anything urgent.

You could also put your install behind some form of HTTP auth if you’re concerned about security.


#7

I’ve a feeling that this way lies the Greg K-H solution, which would be to put a standard boiler plate on any update announcements saying “all users must upgrade” (see the blurb on the email for any LTS kernel release, which Greg added after people insisted they wanted to know if any given LTS patch included fixes for security issues).


#8

last time i did a sticky heads up post on the forums, adding an important announcements category is not a bad idea


#9

Thanks for using the announcement category - the notifications worked like a harm (a few days ago).