How is security on gems used handled?


(Rodrigo) #1

Hi,

If I don’t misunderstand, discourse is using several gems installed things in the default docker installation 1. But how can I track security issues on all (and future) gems used by docker and update them as needed ?

Or how do others approach this problem ? How can I update gems when needed ? Or does docker release a new version if a new gem has a security bug?

Thanks a lot,
Rodrigo


(Robin Ward) #2

To audit the gems of a version you’ll have to look at the Gemfile.lock in the source folder. We update it freqeuntly, so it is likely that gems have changed in every beta release at least.

Having said that, we do cut releases when we are made aware of security issues. We even backport them to our stable channel if you are following that. We also encourage our users to let us know if they hear about security issues in case we missed any announcements (although I don’t think that has happened so far.)


(Rodrigo) #3

Sorry, I’m not sure I follow.

Are you saying that you will release a new stable discourse version if a gem used there has a security issue, and the discourse team will back-port the fix to that gem ?

Thanks a lot,
Rodrigo


(Robin Ward) #4

Yes, we have several branches of discourse: stable, beta and master. If a gem is found to have a security issue we update it in all branches. Then people can easily update their site to get the upgrade.

Usually they are emailed about it too, if that stuff is set up.


(Jens Maier) #5

I’m not sure the word “backport” is appropriate in that context.

Backporting is something you do when you make a change to your current development branch, then go back to an old version, integrate that same change there and release it as an update for the older version.

Are you perhaps asking whether the Discourse team would fix a buggy gem themselves and what they’d do with that fix?


(Rodrigo) #6

Great, thanks! And is it too much if I also ask you how can I get that email when such a gem is updated? :slight_smile:


(Kane York) #7

It’ll be the same email as when a new version is released.

A new version of Discourse is available.

Your version: 1.3.0.beta5
New version: 1.3.0.beta6

You may want to:

Or:

Your version: 1.2.1
New version: 1.2.2


(Robin Ward) #8

Also if we flag an update as security there will be an extra note about it in the email.


(Rodrigo) #9

But, to receive that email, what should I do? Just go to the release category and put it under watching/tracking ? Is that correct ? :smile:

Thanks a lot, really!
Rodrigo


(Robin Ward) #10

Just make sure version checks and new version emails are checked in your instance. If your email is set up properly your discourse instance will email you about security alerts.


(Rodrigo) #11

Thanks, I didn’t notice but I already had them! :slight_smile: