Unclear what security policy would apply to gitdb and smmap vulnerabilities

[EliahKagan]

At least currently, gitdb and smmap are developed and managed in separate repositories from GitPython. While GitPython has a SECURITY.md file indicating the requested methods of reporting security vulnerabilities, as well as having private vulnerability reporting enabled (to allow people to report vulnerabilities by creating draft advisories), neither gitdb nor smmap has either of these things. In addition, the GitPython SECURITY.md does not say how to report gitdb and smmap vulnerabilities. It is consequently not clear how any vulnerabilities found in code of the gitdb and smmap packages should be reported.

Some code in gitdb, and especially in smmap, may be less important today than in the past, with regard to security, since the in-memory object database is no longer widely recommended and no longer extensively used, though it does seem to remain in some use. However, some code of gitdb and smmap continue to be used as helper types in GitPython, even when only using GitPython to perform operations via git subprocesses. It seems some index-related operations may also be making greater use of code from gitdb than was expected.

Therefore, I recommend that SECURITY.md files be created here in the gitdb repository as well as in the smmap repository, so it is clear what the recommended way is to report any security vulnerabilities that may be found in them.

But I'm not sure what that recommendation should be. Assuming GitHub's private vulnerability reporting feature is to be a recommended approach, the recommendation (and whether private vulnerability reporting would be enabled in the gitdb and smmap repositories) would differ depending on what repository should hold and publish the advisory. Ordinarily this would be the same repository that has the code the advisory applies to, i.e. the gitdb or smmap repository.

But as discussed in gitpython-developers/smmap#53, there is interest in eventually merging the gitdb and smmap repositories into the GitPython repository. At that point, it would be most useful (though maybe not essential) for any published gitdb or smmap advisories to be listed under the GitPython security tab. But as far as I know there is no way to migrate them from one repository to another. A new repository-local advisory could be created, of course, but its GHSA wouldn't match and be linked with the GHSA in the GitHub Advisory Database.

[Byron]

Thanks for bringing this up!

I also thought of it from the angle of reach - the GitPython repository will reach more people than the sibling-repositories ever will.

Hence I think SECURITY.md in GitPython should be adjusted to also include gitdb and smmap, while new SECURITY.md files should be created in gitdb and smmap to refer to the parent SECURITY.md in the GitPython repository, while keeping private reporting disabled to aggregate all reports in GitPython itself.

Does that make sense? If so, I think you'd be the best choice in adjusting/adding these files. I am also happy to do that otherwise.

[EliahKagan]

Does that make sense?

Yes. I'll open PRs to make the changes in all three repositories.