On Fri, Jun 13, 2014 at 2:44 AM, Corey Farrell <[email protected]> wrote: > > I was looking at reviews.reviewboard.org to see if anything was in the works > to allow restricted reviews, I found > https://reviews.reviewboard.org/groups/security/ - "This group is > invite-only. You must be a member of this group in order to see any review > requests assigned to it. You can ask the administrator or group owner for > access." > > Could we get something similar working? This would allow all security > related bugs to follow the same process as normal bugs, just limited to those > with commit access. > > Some form of email to an invitation only mailing list would be very useful, > even if it is an uninformative notice: "Restricted review XXXX has been > updated and can be viewed at https://..."; The same applies to JIRA, security > bugs are not sent to asterisk-dev mailing list (this is good), but the > tickets are not known unless we search for them. An email with minimum > information "JIRA ticket ASTERISK-XXXXX has been created or updated and can > be viewed at https://...";.
Thanks for finding that Corey. A few days ago I went ahead and set up a new private Review Board group, "Security". After some brief testing with Mark and George, it looks like it is indeed private and does not generate e-mails to this list. I provided a brief update to the Security Vulnerabilities wiki page to note the existence of this group [1]. The proposed work flow is: 1. Vulnerability is reported to [email protected] or through the issue tracker 2. A bug marshal sends a terse e-mail to the asterisk-dev mailing list notifying the developer community that a new vulnerability issue has been created. The e-mail should only contain a link to the JIRA issue. All communication occurs on the issue. 3. When a patch is ready, it is posted to review board in the Security group. 4. Normal process kicks in at this point, other than committing of said patch once approved is coordinated with a security release. [1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities If anyone who has commit access would like access to this group, please let me know. Thanks - Matt -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
