Re: [xwiki-devs] [Proposal] A private security mailing list

On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: > On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost<ludovic(a)xwiki.com> wrote: > >> >> I'll throw in my James Bond culture here.. >> >> The rule should be based on the "need-to-know" rule. >> >> We should let people that need to know the information towards the goals we >> are setting for this list. >> The goal of this list is at this point to allow people to discuss solutions >> to security issues in order to fix them while not making XWiki unusable. >> I don't think it is at this point to inform "admins" of potential security >> issue (that should be another annoucement list). >> >> So it should be about letting in people that prove they want to help. The >> lesser it seems they will help the more we need to trust them ! >> It's clearly a case by case basis >> >> I don't think we should worry about not having enough people in this list. >> Working on security issues is hard and requires dedication, so it's already >> a happy few list. >> We'll recognize them very quickly. >> >> Ludovic >> > > I am very +1 with Ludovic, and what has been publish on XWiki.org is > sufficient for me. For me too. The fact that it says "contributing" should prevent casual lurkers. > If anyone not fitting Vincent's rules should be in for > some other reason, a committers'vote should do, else, I not sure it is > required, an announcement on the security list should be enough. > Should committers do something to join ? I think Alex has aded us by default. Let me try to send an email to see if it works...

>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >> >> >>> Vincent Massol wrote: >>> >>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>> >>>> >>>> Vincent Massol wrote: >>>>> >>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>>> >>>>>>> >>>>>>> The new mailing list security(a)xwiki.org was created. All core >>>>>>> commiters >>>>>>> will be on this list. >>>>>>> >>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>> discussions about security issues. However, everyone can write to >>>>>>> this >>>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>>> by >>>>>>> the administrator first). >>>>>>> >>>>>>> If somebody else is interested in contributing to discussions on that >>>>>>> list, he or she should write a mail on the dev-list asking for access. >>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to a >>>>>>> proposal) this person will get access. >>>>>>> >>>>>>> We also need to define who can get access. IMO: >>>>>> - persons who have submitted security issues in jira >>>>>> - persons who've submitted security patches >>>>>> - persons who have been contributing to xwiki for a long time >>>>>> >>>>>> These seem like nice guidelines but must we disallow people who we all >>>>> know >>>>> will help the discussion because they don't meet the requirements? >>>>> >>>>> IMO we can't define what makes someone unsuitable for the list but will >>>>> know >>>>> them when we see them. >>>>> >>>>> It's much better to have a list of examples of what constitutes a valid >>>> request than not having it. This is useful not only for committers to vote >>>> but also for the person who ask so that he knows how to qualify. >>>> >>>> Otherwise voting is about thin air... and you're going to hurt people >>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>> >>>> Take this example: >>>> >>>> I'm someone who has installed XE at my company. I want to be sure I know >>>> about security issues and I'm even ok to take part in the discussion about >>>> these issues. I sent a mail to the dev list asking to be on that list. Note >>>> that I have not sent any prior email to the list but I have participated >>>> (for ex) to other open source projects. >>>> >>>> I have no problem defining what the list is for and what it's not for. >>> "This list is not here to provide information about exploits and how to >>> deal with them, only ask to join if you wish to help" >>> >>> If this hypothetical admin is also a programmer and knows a lot about >>> security patterns >>> then we would be wise to let them in. >>> >>> >>> How ar you going to reject me or accept me? And if you reject me you need >>>> to give me a reason. What reason will it be? >>>> >>>> As you can see you'll have to list the reasons anyway and it's much >>>> better to do it upfront (even if the list is not complete) than not. >>>> >>>> Also if you reject me I'll be offended. I'm not a script kid. I'm someone >>>> honest and serious. How dare you reject me! This is not a real open source >>>> project! ;) >>>> >>>> What if somebody fits all of the requirements but has a history of >>> becoming bitter and publishing >>> security info about projects. Then if we reject them they will be that >>> much more angry because they >>> fit all of the rules. >>> >>> What about somebody who gets on the list by meeting the qualifications >>> then never sends anything, just (presumably) >>> logging the discussion? >>> >>> One final thought is we're probably making a mountain out of a mole hill, >>> regulating who sees the secret jira issues has never been much of a problem. >>> >>> >>> Thanks >>>> -Vincent >>>> >>>> >>>> Also it seems that rules stop people from doing the right thing while >>>>> people with bad intentions are usually more motivated and will thus find >>>>> a way >>>>> around the rule. >>>>> >>>>> My +1 is for a case by case basis. >>>>> >>>>> Caleb >>>>> >>>>> >>>>> WDYT? >>>>>> >>>>>> Thanks >>>>>> -Vincent >>>>>> >>>>>> >>>>>> Alex >>>>>>> >>>>>>> >>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>> >>>>>>> Hello devs, >>>>>>>> >>>>>>>> >>>>>>>> I propose to introduce a security mailing list (security(a)xwiki.org) >>>>>>>> to >>>>>>>> discuss details of security issues. >>>>>>>> >>>>>>>> This list should be private, with only committers and trusted >>>>>>>> contributors having read and write access. Anyone who proved his good >>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>> access >>>>>>>> to security-list through the usual vote procedure. >>>>>>>> >>>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>>> open >>>>>>>> security issues without giving all script kiddies in the world >>>>>>>> examples >>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>> list >>>>>>>> until the corresponding fix is released. >>>>>>>> >>>>>>>> WDYT? >>>>>>>> >>>>>>>> >>>>>>>> Alex