Skip to content

Commit 0902886

Browse files
TC999TC999
committed
简中:安全政策
1 parent 90a205c commit 0902886

File tree

1 file changed

+37
-36
lines changed

1 file changed

+37
-36
lines changed

locales/zh-CN/security.ftl

Lines changed: 37 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -5,28 +5,28 @@ policies-security-page-title = 安全政策
55
security-reporting-heading = 报告漏洞
66
security-reporting-link = { ENGLISH("[email protected]") } 发邮件
77
security-reporting-description--2025-07 =
8-
<p>Safety is one of the core principles of Rust, and to that end, we would like to ensure that Rust has a secure implementation. Thank you for taking the time to responsibly disclose any issues you find.</p>
9-
<p>All security bugs in the Rust distribution should be reported by email to { -security-at-rust-lang-org-anchor }. This list is delivered to a small security team. Your email will be acknowledged within 24 hours, and you’ll receive a more detailed response to your email within 48 hours indicating the next steps in handling your report.</p>
10-
<p>This email address receives a large amount of spam, so be sure to use a descriptive subject line to avoid having your report be missed. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement. As recommended by <a href="{ -wikipedia-rfpolicy-href }">RFPolicy</a>, these updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.</p>
11-
<p>If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past five days, there are a few steps you can take (in order):</p>
8+
<p>安全性是 Rust 的核心原则之一,为此,我们希望确保 Rust 的实现是安全的。感谢您花时间负责任地披露您发现的任何问题。</p>
9+
<p>Rust 发行版中的所有安全漏洞都应通过电子邮件报告至 { -security-at-rust-lang-org-anchor }。此邮件列表会发送给一个小型安全团队。您的邮件将在 24 小时内收到确认回复,并在 48 小时内收到更详细的回复,说明处理您的报告的下一步措施。</p>
10+
<p>由于此电子邮件地址会收到大量垃圾邮件,请务必使用描述性主题行,以免您的报告被遗漏。在对您的报告进行初步回复后,安全团队将努力让您了解修复和完整公告的进展情况。根据 <a href="{ -wikipedia-rfpolicy-href }">RFPolicy</a> 的建议,这些更新至少每五天发送一次。实际上,这更可能是每 24-48 小时一次。</p>
11+
<p>如果您在 48 小时内未收到电子邮件回复,或者在过去五天内未收到安全团队的消息,您可以采取以下步骤(按顺序):</p>
1212
<ul>
1313
<li>
14-
Contact both the security coordinators directly:
14+
直接联系两位安全协调员:
1515
<ul>
1616
<li>{ -security-coordinator-1-email-anchor }</li>
1717
<li>{ -security-coordinator-2-email-anchor }</li>
1818
</ul>
1919
</li>
20-
<li>Post on the <a href="{ -internals-rust-lang-org-href }">internals forums</a></li>
20+
<li><a href="{ -internals-rust-lang-org-href }">internals 论坛</a> 上发帖</li>
2121
</ul>
22-
<p>Please note that the discussion forums are public areas. When escalating in these venues, please do not discuss your issue. Simply say that you’re trying to get a hold of someone from the security team.</p>
22+
<p>请注意,讨论论坛是公共区域。在这些场所升级时,请勿讨论您的问题。只需说明您正在尝试联系安全团队的某人即可。</p>
2323
24-
security-scope-heading = Scope
24+
security-scope-heading = 范围
2525
security-scope--2025-04 =
26-
<p>The Rust Security Response WG handles vulnerability reports for everything maintained and published by the Rust Project:</p>
26+
<p>Rust 安全响应工作组处理 Rust 项目维护和发布的所有内容的漏洞报告:</p>
2727
<ul>
2828
<li>
29-
The following GitHub organizations, and all repositories and CI pipelines hosted in them:
29+
以下 GitHub 组织及其所有仓库和 CI 管道:
3030
<ul>
3131
<li><a href="https://github.com/rust-lang"><code>rust-lang</code></a></li>
3232
<li><a href="https://github.com/rust-lang-ci"><code>rust-lang-ci</code></a></li>
@@ -35,45 +35,46 @@ security-scope--2025-04 =
3535
</ul>
3636
</li>
3737
<li>
38-
The following domain names, all their subdomains, and all applications hosted within:
38+
以下域名及其所有子域名,以及其中托管的所有应用程序:
3939
<ul>
40-
<li><a href="http://rust-lang.org">rust-lang.org</a> (see exceptions below)</li>
40+
<li><a href="http://rust-lang.org">rust-lang.org</a>(见下文例外情况)</li>
4141
<li><a href="http://rustup.rs">rustup.rs</a></li>
42-
<li><a href="http://crates.io">crates.io</a> (see exceptions below)</li>
42+
<li><a href="http://crates.io">crates.io</a>(见下文例外情况)</li>
4343
<li><a href="http://docs.rs">docs.rs</a></li>
4444
<li><a href="http://rfcbot.rs">rfcbot.rs</a></li>
4545
</ul>
4646
</li>
47-
<li>All crates owned by <a href="https://crates.io/users/rust-lang-owner">@rust-lang-owner</a> on <a href="http://crates.io">crates.io</a>.</li>
48-
<li>All extensions in the Visual Studio Marketplace published by <a href="https://marketplace.visualstudio.com/publishers/rust-lang"><code>rust-lang</code></a>.</li>
49-
<li>All extensions in the Open VSX registry published by <a href="https://open-vsx.org/namespace/rust-lang"><code>rust-lang</code></a>.</li>
47+
<li><a href="https://crates.io">crates.io</a> 上由 <a href="https://crates.io/users/rust-lang-owner">@rust-lang-owner</a> 拥有的所有 crate。</li>
48+
<li>Visual Studio Marketplace 上由 <a href="https://marketplace.visualstudio.com/publishers/rust-lang"><code>rust-lang</code></a> 发布的所有扩展。</li>
49+
<li>Open VSX 注册表中由 <a href="https://open-vsx.org/namespace/rust-lang"><code>rust-lang</code></a> 发布的所有扩展。</li>
5050
</ul>
51-
<p>The following things are <strong>outside our scope</strong>:</p>
51+
<p>以下内容<strong>不在我们的范围内</strong></p>
5252
<ul>
53-
<li>The <a href="http://internals.rust-lang.org">internals.rust-lang.org</a> and <a href="http://users.rust-lang.org">users.rust-lang.org</a> domains. Please follow <a href="https://github.com/discourse/discourse/blob/main/docs/SECURITY.md">Discourse's Security Policy</a> for it.</li>
54-
<li>Third-party packages published on <a href="http://crates.io">crates.io</a>. Please follow <a href="https://crates.io/security">crates.io's Security Policy</a> for them.</li>
53+
<li><a href="http://internals.rust-lang.org">internals.rust-lang.org</a> <a href="http://users.rust-lang.org">users.rust-lang.org</a> 域名。请遵循 <a href="https://github.com/discourse/discourse/blob/main/docs/SECURITY.md">Discourse 的安全政策</a></li>
54+
<li><a href="http://crates.io">crates.io</a> 上发布的第三方包。请遵循 <a href="https://crates.io/security">crates.io 的安全政策</a></li>
5555
</ul>
56-
<p>When reporting vulnerabilities, keep in mind that:</p>
56+
<p>报告漏洞时,请记住:</p>
5757
<ul>
58-
<li>Unless otherwise noted, all components of the Rust toolchain (rustc, Cargo, rust-analyzer, or any other tool shipped through rustup) assume that the user's source code and dependencies are fully trusted, reviewed and contain no malicious code. We do not consider attacks caused by compiling or analyzing malicious projects or dependencies a security vulnerability.</li>
59-
<li>Soundness issues in the Rust compiler or language are not automatically classified as a security vulnerability, but will be analyzed on a case-by-case basis if reported.</li>
60-
<li>The <code>regex</code> crate <a href="https://docs.rs/regex/latest/regex/#untrusted-input">provides guarantees about untrusted patterns</a>. We consider denial of service with untrusted patterns a security vulnerability only if the time spent inside of the <code>regex</code> crate is not linear, and none of the <a href="https://docs.rs/regex/latest/regex/struct.RegexBuilder.html">limit methods in <code>RegexBuilder</code></a> are able to prevent the attack.</li>
58+
<li>除非另有说明,Rust 工具链的所有组件(rustcCargorust-analyzer 或通过 rustup 提供的任何其他工具)假定用户的源代码和依赖项是完全可信的、经过审查且不包含恶意代码。我们不认为因编译或分析恶意项目或依赖项而导致的攻击是安全漏洞。</li>
59+
<li>Rust 编译器或语言中的健全性问题不会自动归类为安全漏洞,但如果报告,将根据具体情况进行分析。</li>
60+
<li><code>regex</code> crate <a href="https://docs.rs/regex/latest/regex/#untrusted-input">对不受信任的模式提供保证</a>。我们仅在 <code>regex</code> crate 内的时间不是线性时,且 <a href="https://docs.rs/regex/latest/regex/struct.RegexBuilder.html"><code>RegexBuilder</code> 中的限制方法</a>均无法防止攻击时,才将使用不受信任模式导致的拒绝服务视为安全漏洞。</li>
6161
</ul>
62-
<p>If you have doubts on whether something falls within our scope, <a href="mailto:[email protected]">please reach out</a> and we will provide guidance.</p>
62+
<p>如果您对某些内容是否属于我们的范围有疑问,请<a href="mailto:[email protected]">联系我们</a>,我们将提供指导。</p>
6363
6464
security-disclosure-heading = 信息披露政策
65-
security-disclosure-description =
66-
<p>Rust 项目有 5 步披露流程:</p>
67-
<ol>
68-
<li>收到安全报告后,将其分配给一位主要处理人。此人将协调修复和发布过程。</li>
69-
<li>确认问题并确定所有受影响版本。</li>
70-
<li>审核代码以发现任何潜在的类似问题。</li>
71-
<li>对所有仍在维护的版本准备修复程序。这些修复程序将不会推送到公共仓库,而是保留在本地,等待发布。</li>
72-
<li>过封锁期后,<a href="{ -rustlang-security-announcements-google-groups-forum-href }">Rust 安全邮件列表</a>将发布一份公告副本。这些更改会提交至公共仓库,更新后的程序将部署至 rust-lang.org。在收到通知邮件列表的 6 小时内,Rust 博客将发布该通报的副本。</li>
73-
</ol>
65+
security-disclosure-description--2025-07 =
66+
<p>Rust 项目有 5 步披露流程:</p>
67+
<ol>
68+
<li>收到安全报告后,将其分配给一位主要处理人。此人将协调修复和发布过程。</li>
69+
<li>确认问题并确定所有受影响的版本,并邀请相关 Rust 团队的领域专家参与。</li>
70+
<li>审核代码以发现任何潜在的类似问题。</li>
71+
<li>为所有受支持的发布分支准备修复程序,并保留 CVE 编号。这些修复程序不会提交到公共仓库,而是保存在私有仓库中,等待公告发布。这些修复程序会使用与公共更改相同的审查流程进行私下审查。</li>
72+
<li>在封禁日期,公告的副本会发送到 <a href="{ -rustlang-security-announcements-google-groups-forum-href }">Rust 安全邮件列表</a> 并发布在 Rust 博客上。这些更改会推送到公共仓库,并启动发布流程。在一小时内,CVE 数据库中会发布完整的详细信息。</li>
73+
</ol>
7474
<p>此过程可能需要一些时间,尤其是在需要与其他项目的维护人员进行协调时。我们将尽一切努力及时处理错误。但是,我们必须遵循上述发布流程,确保能够以一致的方式处理披露。</p>
7575
security-receiving-heading = 接收安全更新
76-
security-receiving-description =
77-
<p>接收所有安全公告的最佳方式是订阅 <a href="{ -rust-security-announcements-mailing-list-href }">Rust 安全公告邮件列表</a>(或发送电子邮件至 { -rustlang-security-announcements-subscribe-anchor })。邮件列表的业务量很少,在封禁期过后它会马上收到公共通知。</p>
78-
<p>我们会在封禁期解除前的 72 小时内向 { -distros-openwall-email-anchor } 公布漏洞,以便于 Linux 发行版更新其软件包。</p>
76+
security-receiving-description--2025-07 =
77+
<p>接收所有安全公告的最佳方式是订阅 <a href="{ -rust-security-announcements-mailing-list-href }">Rust 安全公告邮件列表</a>(或发送电子邮件至 { -rustlang-security-announcements-subscribe-anchor })。邮件列表的业务量很少,在封禁期过后它会马上收到公共通知。邮件列表上的公告由 <a href="{{ -rust-security-team-key-href }}">Rust 的安全密钥</a> 签名。</p>
78+
<p>Rust 项目仅为最新的稳定版本以及 <a href="{ -rust-security-supported-channels-href }">beta 和 nightly 渠道</a> 的最新版本提供支持和安全更新。由于 Rust 版本必须在公开环境中构建,我们将在封禁期解除后立即开始发布流程,并在更新的二进制文件可供下载后发布博客文章。</p>
79+
<p>当漏洞影响软件发行版时,我们将在封禁期解除前 72 小时向 { -distros-openwall-email-anchor } 宣布漏洞,以便发行版在封禁期解除时更新其软件包。</p>
7980
security-pgp-key-heading = 明文 PGP 公钥

0 commit comments

Comments
 (0)