If other committers want to join, let me know here and I'll add you.
Thanks
-Vincent
>>
Le 31/05/10 18:53, Caleb James DeLisle a écrit :
>>
>>
>>> Vincent Massol wrote:
>>>
>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote:
>>>>
>>>>
>>>> Vincent Massol wrote:
>>>>>
>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote:
>>>>>>
>>>>>>
>>>>>> Hello,
>>>>>>>
>>>>>>>
>>>>>>> The new mailing list security(a)xwiki.org was created. All
core
>>>>>>> commiters
>>>>>>> will be on this list.
>>>>>>>
>>>>>>> This is *not* an announcement list, it is meant for
technical
>>>>>>> discussions about security issues. However, everyone can
write to
>>>>>>> this
>>>>>>> mailing list, e.g. to report security issues (mails will be
reviewed
>>>>>>> by
>>>>>>> the administrator first).
>>>>>>>
>>>>>>> If somebody else is interested in contributing to discussions
on that
>>>>>>> list, he or she should write a mail on the dev-list asking
for access.
>>>>>>> If the commiters agree (meaning that nobody is -1 on it,
similar to a
>>>>>>> proposal) this person will get access.
>>>>>>>
>>>>>>> We also need to define who can get access. IMO:
>>>>>> - persons who have submitted security issues in jira
>>>>>> - persons who've submitted security patches
>>>>>> - persons who have been contributing to xwiki for a long time
>>>>>>
>>>>>> These seem like nice guidelines but must we disallow people who
we all
>>>>> know
>>>>> will help the discussion because they don't meet the
requirements?
>>>>>
>>>>> IMO we can't define what makes someone unsuitable for the list
but will
>>>>> know
>>>>> them when we see them.
>>>>>
>>>>> It's much better to have a list of examples of what constitutes a
valid
>>>> request than not having it. This is useful not only for committers to
vote
>>>> but also for the person who ask so that he knows how to qualify.
>>>>
>>>> Otherwise voting is about thin air... and you're going to hurt
people
>>>> Caleb (+ generate unnecessary requests, votes and rejections).
>>>>
>>>> Take this example:
>>>>
>>>> I'm someone who has installed XE at my company. I want to be sure I
know
>>>> about security issues and I'm even ok to take part in the discussion
about
>>>> these issues. I sent a mail to the dev list asking to be on that list.
Note
>>>> that I have not sent any prior email to the list but I have participated
>>>> (for ex) to other open source projects.
>>>>
>>>> I have no problem defining what the list is for and what it's not
for.
>>> "This list is not here to provide information about exploits and how to
>>> deal with them, only ask to join if you wish to help"
>>>
>>> If this hypothetical admin is also a programmer and knows a lot about
>>> security patterns
>>> then we would be wise to let them in.
>>>
>>>
>>> How ar you going to reject me or accept me? And if you reject me you need
>>>> to give me a reason. What reason will it be?
>>>>
>>>> As you can see you'll have to list the reasons anyway and it's
much
>>>> better to do it upfront (even if the list is not complete) than not.
>>>>
>>>> Also if you reject me I'll be offended. I'm not a script kid.
I'm someone
>>>> honest and serious. How dare you reject me! This is not a real open
source
>>>> project! ;)
>>>>
>>>> What if somebody fits all of the requirements but has a history of
>>> becoming bitter and publishing
>>> security info about projects. Then if we reject them they will be that
>>> much more angry because they
>>> fit all of the rules.
>>>
>>> What about somebody who gets on the list by meeting the qualifications
>>> then never sends anything, just (presumably)
>>> logging the discussion?
>>>
>>> One final thought is we're probably making a mountain out of a mole
hill,
>>> regulating who sees the secret jira issues has never been much of a problem.
>>>
>>>
>>> Thanks
>>>> -Vincent
>>>>
>>>>
>>>> Also it seems that rules stop people from doing the right thing while
>>>>> people with bad intentions are usually more motivated and will thus
find
>>>>> a way
>>>>> around the rule.
>>>>>
>>>>> My +1 is for a case by case basis.
>>>>>
>>>>> Caleb
>>>>>
>>>>>
>>>>> WDYT?
>>>>>>
>>>>>> Thanks
>>>>>> -Vincent
>>>>>>
>>>>>>
>>>>>> Alex
>>>>>>>
>>>>>>>
>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote:
>>>>>>>
>>>>>>> Hello devs,
>>>>>>>>
>>>>>>>>
>>>>>>>> I propose to introduce a security mailing list
(security(a)xwiki.org)
>>>>>>>> to
>>>>>>>> discuss details of security issues.
>>>>>>>>
>>>>>>>> This list should be private, with only committers and
trusted
>>>>>>>> contributors having read and write access. Anyone who
proved his good
>>>>>>>> intentions on the dev-list and bug tracker should be able
to get
>>>>>>>> access
>>>>>>>> to security-list through the usual vote procedure.
>>>>>>>>
>>>>>>>> The purpose of this list is to give a safe place to
discuss details
>>>>>>>> open
>>>>>>>> security issues without giving all script kiddies in the
world
>>>>>>>> examples
>>>>>>>> to write exploits. The discussions should be kept on this
private
>>>>>>>> list
>>>>>>>> until the corresponding fix is released.
>>>>>>>>
>>>>>>>> WDYT?
>>>>>>>>
>>>>>>>>
>>>>>>>> Alex
_______________________________________________
devs mailing list
devs(a)xwiki.org