1 Jun
2010
1 Jun
'10
12:52 a.m.
I'll throw in my James Bond culture here..
The rule should be based on the "need-to-know" rule.
We should let people that need to know the information towards the goals
we are setting for this list.
The goal of this list is at this point to allow people to discuss
solutions to security issues in order to fix them while not making XWiki
unusable.
I don't think it is at this point to inform "admins" of potential
security issue (that should be another annoucement list).
So it should be about letting in people that prove they want to help.
The lesser it seems they will help the more we need to trust them !
It's clearly a case by case basis
I don't think we should worry about not having enough people in this
list. Working on security issues is hard and requires dedication, so
it's already a happy few list.
We'll recognize them very quickly.
Ludovic
Le 31/05/10 18:53, Caleb James DeLisle a écrit :
Vincent Massol wrote:
--
Ludovic Dubost
Blog: http://blog.ludovic.org/
XWiki: http://www.xwiki.com
Skype: ldubost GTalk: ldubost
On May 31, 2010, at 6:18 PM, Caleb James DeLisle
wrote:
I have no problem defining what the list is for and what it's not for.
"This list is not here to provide information about exploits and how to deal with
them, only ask to join if you wish to help"
If this hypothetical admin is also a programmer and knows a lot about security patterns
then we would be wise to let them in.
Vincent Massol wrote:
It's much better to have a list of examples of what constitutes a valid
request than not having it. This is useful not only for committers to vote but also for
the person who ask so that he knows how to qualify.
Otherwise voting is about thin air... and you're going to hurt people Caleb (+
generate unnecessary requests, votes and rejections).
Take this example:
I'm someone who has installed XE at my company. I want to be sure I know about
security issues and I'm even ok to take part in the discussion about these issues. I
sent a mail to the dev list asking to be on that list. Note that I have not sent any prior
email to the list but I have participated (for ex) to other open source projects.
On May 31, 2010, at 5:02 PM, Alex Busenius
wrote:
> Hello,
>
>
> The new mailing list security(a)xwiki.org was created. All core commiters
> will be on this list.
>
> This is *not* an announcement list, it is meant for technical
> discussions about security issues. However, everyone can write to this
> mailing list, e.g. to report security issues (mails will be reviewed by
> the administrator first).
>
> If somebody else is interested in contributing to discussions on that
> list, he or she should write a mail on the dev-list asking for access.
> If the commiters agree (meaning that nobody is -1 on it, similar to a
> proposal) this person will get access.
>
We also need to define who can get access. IMO:
- persons who have submitted security issues in jira
- persons who've submitted security patches
- persons who have been contributing to xwiki for a long time
These seem like nice guidelines but must we disallow people who we all know
will help the discussion because they don't meet the requirements?
IMO we can't define what makes someone unsuitable for the list but will know
them when we see them.
How ar you going to reject me or accept me? And
if you reject me you need to give me a reason. What reason will it be?
As you can see you'll have to list the reasons anyway and it's much better to do
it upfront (even if the list is not complete) than not.
Also if you reject me I'll be offended. I'm not a script kid. I'm someone
honest and serious. How dare you reject me! This is not a real open source project! ;)
What if somebody fits all of the requirements but has a history of becoming bitter
and publishing
security info about projects. Then if we reject them they will be that much more angry
because they
fit all of the rules.
What about somebody who gets on the list by meeting the qualifications then never sends
anything, just (presumably)
logging the discussion?
One final thought is we're probably making a mountain out of a mole hill, regulating
who sees the secret jira issues has never been much of a problem.
Thanks
-Vincent
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
Also it seems that rules stop people from doing
the right thing while
people with bad intentions are usually more motivated and will thus find a way
around the rule.
My +1 is for a case by case basis.
Caleb
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
WDYT?
Thanks
-Vincent
> Alex
>
>
> On 05/26/2010 01:02 PM, Alex Busenius wrote:
>
>> Hello devs,
>>
>>
>> I propose to introduce a security mailing list (security(a)xwiki.org) to
>> discuss details of security issues.
>>
>> This list should be private, with only committers and trusted
>> contributors having read and write access. Anyone who proved his good
>> intentions on the dev-list and bug tracker should be able to get access
>> to security-list through the usual vote procedure.
>>
>> The purpose of this list is to give a safe place to discuss details open
>> security issues without giving all script kiddies in the world examples
>> to write exploits. The discussions should be kept on this private list
>> until the corresponding fix is released.
>>
>> WDYT?
>>
>>
>> Alex
>>
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs