1 Jun
2010
1 Jun
'10
2:14 p.m.
A couple thoughts:
+1 Ludovic's idea. Even the nicest people should have some valid reason for being
there. Also this means a -1 is not judgment of the person but rather their reason.
Maybe the history should not be made available to the subscribers? With the list
history, someone with bad intentions can get a lot of info quickly. Is there a valid
need for the list history to be available to all members?
Caleb
Marius Dumitru Florea wrote:
On 06/01/2010 12:01 PM, Thomas Mortagne wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs
On Tue, Jun 1, 2010 at 10:57, Vincent
Massol<vincent(a)massol.net> wrote:
> On Jun 1, 2010, at 10:54 AM, Vincent Massol wrote:
>
>> On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote:
>>
>>> On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote:
>>>
>>>> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost<ludovic(a)xwiki.com>
wrote:
>>>>
>>>>> I'll throw in my James Bond culture here..
>>>>>
>>>>> The rule should be based on the "need-to-know" rule.
>>>>>
>>>>> We should let people that need to know the information towards the
goals we
>>>>> are setting for this list.
>>>>> The goal of this list is at this point to allow people to discuss
solutions
>>>>> to security issues in order to fix them while not making XWiki
unusable.
>>>>> I don't think it is at this point to inform "admins" of
potential security
>>>>> issue (that should be another annoucement list).
>>>>>
>>>>> So it should be about letting in people that prove they want to help.
The
>>>>> lesser it seems they will help the more we need to trust them !
>>>>> It's clearly a case by case basis
>>>>>
>>>>> I don't think we should worry about not having enough people in
this list.
>>>>> Working on security issues is hard and requires dedication, so
it's already
>>>>> a happy few list.
>>>>> We'll recognize them very quickly.
>>>>>
>>>>> Ludovic
>>>>>
>>>> I am very +1 with Ludovic, and what has been publish on XWiki.org is
>>>> sufficient for me.
>>> For me too. The fact that it says "contributing" should prevent
casual lurkers.
>>>
>>>> If anyone not fitting Vincent's rules should be in for
>>>> some other reason, a committers'vote should do, else, I not sure it
is
>>>> required, an announcement on the security list should be enough.
>>>> Should committers do something to join ?
>>> I think Alex has aded us by default. Let me try to send an email to see if it
works...
>> They're not added. I'm adding them.
> Actually no, I think it's better to let committers decide if they want to join
that list or not.
>
> Right now the following persons have been added:
> - Jerome
> - Ludovic
> - AlexB
> - Caleb
> - Denis
> - Raffaello
> - me
I would like to be part of it.
Me too.
Thanks,
Marius
If other
committers want to join, let me know here and I'll add you.
Thanks
-Vincent
>>> Le 31/05/10 18:53, Caleb James
DeLisle a écrit :
>>>
>>>
>>>> Vincent Massol wrote:
>>>>
>>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote:
>>>>>
>>>>> Vincent Massol wrote:
>>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>>>
>>>>>>>> The new mailing list security(a)xwiki.org was created. All
core
>>>>>>>> commiters
>>>>>>>> will be on this list.
>>>>>>>>
>>>>>>>> This is *not* an announcement list, it is meant for
technical
>>>>>>>> discussions about security issues. However, everyone can
write to
>>>>>>>> this
>>>>>>>> mailing list, e.g. to report security issues (mails will
be reviewed
>>>>>>>> by
>>>>>>>> the administrator first).
>>>>>>>>
>>>>>>>> If somebody else is interested in contributing to
discussions on that
>>>>>>>> list, he or she should write a mail on the dev-list
asking for access.
>>>>>>>> If the commiters agree (meaning that nobody is -1 on it,
similar to a
>>>>>>>> proposal) this person will get access.
>>>>>>>>
>>>>>>>> We also need to define who can get access. IMO:
>>>>>>> - persons who have submitted security issues in jira
>>>>>>> - persons who've submitted security patches
>>>>>>> - persons who have been contributing to xwiki for a long
time
>>>>>>>
>>>>>>> These seem like nice guidelines but must we disallow people
who we all
>>>>>> know
>>>>>> will help the discussion because they don't meet the
requirements?
>>>>>>
>>>>>> IMO we can't define what makes someone unsuitable for the
list but will
>>>>>> know
>>>>>> them when we see them.
>>>>>>
>>>>>> It's much better to have a list of examples of what
constitutes a valid
>>>>> request than not having it. This is useful not only for committers to
vote
>>>>> but also for the person who ask so that he knows how to qualify.
>>>>>
>>>>> Otherwise voting is about thin air... and you're going to hurt
people
>>>>> Caleb (+ generate unnecessary requests, votes and rejections).
>>>>>
>>>>> Take this example:
>>>>>
>>>>> I'm someone who has installed XE at my company. I want to be sure
I know
>>>>> about security issues and I'm even ok to take part in the
discussion about
>>>>> these issues. I sent a mail to the dev list asking to be on that
list. Note
>>>>> that I have not sent any prior email to the list but I have
participated
>>>>> (for ex) to other open source projects.
>>>>>
>>>>> I have no problem defining what the list is for and what it's not
for.
>>>> "This list is not here to provide information about exploits and how
to
>>>> deal with them, only ask to join if you wish to help"
>>>>
>>>> If this hypothetical admin is also a programmer and knows a lot about
>>>> security patterns
>>>> then we would be wise to let them in.
>>>>
>>>>
>>>> How ar you going to reject me or accept me? And if you reject me you
need
>>>>> to give me a reason. What reason will it be?
>>>>>
>>>>> As you can see you'll have to list the reasons anyway and
it's much
>>>>> better to do it upfront (even if the list is not complete) than not.
>>>>>
>>>>> Also if you reject me I'll be offended. I'm not a script kid.
I'm someone
>>>>> honest and serious. How dare you reject me! This is not a real open
source
>>>>> project! ;)
>>>>>
>>>>> What if somebody fits all of the requirements but has a history of
>>>> becoming bitter and publishing
>>>> security info about projects. Then if we reject them they will be that
>>>> much more angry because they
>>>> fit all of the rules.
>>>>
>>>> What about somebody who gets on the list by meeting the qualifications
>>>> then never sends anything, just (presumably)
>>>> logging the discussion?
>>>>
>>>> One final thought is we're probably making a mountain out of a mole
hill,
>>>> regulating who sees the secret jira issues has never been much of a
problem.
>>>>
>>>>
>>>> Thanks
>>>>> -Vincent
>>>>>
>>>>>
>>>>> Also it seems that rules stop people from doing the right thing
while
>>>>>> people with bad intentions are usually more motivated and will
thus find
>>>>>> a way
>>>>>> around the rule.
>>>>>>
>>>>>> My +1 is for a case by case basis.
>>>>>>
>>>>>> Caleb
>>>>>>
>>>>>>
>>>>>> WDYT?
>>>>>>> Thanks
>>>>>>> -Vincent
>>>>>>>
>>>>>>>
>>>>>>> Alex
>>>>>>>>
>>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote:
>>>>>>>>
>>>>>>>> Hello devs,
>>>>>>>>>
>>>>>>>>> I propose to introduce a security mailing list
(security(a)xwiki.org)
>>>>>>>>> to
>>>>>>>>> discuss details of security issues.
>>>>>>>>>
>>>>>>>>> This list should be private, with only committers and
trusted
>>>>>>>>> contributors having read and write access. Anyone who
proved his good
>>>>>>>>> intentions on the dev-list and bug tracker should be
able to get
>>>>>>>>> access
>>>>>>>>> to security-list through the usual vote procedure.
>>>>>>>>>
>>>>>>>>> The purpose of this list is to give a safe place to
discuss details
>>>>>>>>> open
>>>>>>>>> security issues without giving all script kiddies in
the world
>>>>>>>>> examples
>>>>>>>>> to write exploits. The discussions should be kept on
this private
>>>>>>>>> list
>>>>>>>>> until the corresponding fix is released.
>>>>>>>>>
>>>>>>>>> WDYT?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs