Rather than using subtasks I think it would be better to use a component (named CVE or similar).
Il 29 Nov 2016 1:50 PM, "Jacques Le Roux" <[email protected]> ha scritto: > Also it would be better if we can group all security issues in Jira. For > that I created OFBIZ-1525, please if you create Jira security issues create > (or convert) them as subtasks of OFBIZ-1525 > > Thanks > > Jacques > > > Le 29/11/2016 à 11:05, Pierre Smits a écrit : > >> Of course, I implied this policy to be in line with >> http://www.apache.org/security/ >> >> Best regards, >> >> Pierre Smits >> >> ORRTIZ.COM <http://www.orrtiz.com> >> OFBiz based solutions & services >> >> OFBiz Extensions Marketplace >> http://oem.ofbizci.net/oci-2/ >> >> On Tue, Nov 29, 2016 at 10:59 AM, Nicolas Malin <[email protected] >> > >> wrote: >> >> Yes I agree with Jacopo, when can create the issue only when they are >>> corrected >>> >>> Nicolas >>> >>> >>> >>> Le 29/11/2016 à 10:55, Jacopo Cappellato a écrit : >>> >>> We can definitely create one Jira ticket for each CVE number with all the >>>> details we want and link them from the "security" section of the OFBiz >>>> download page. >>>> This was probably implied in Pierre's proposal, but I prefer to >>>> explicitly >>>> state here: these tickets will be created only after the CVE are >>>> publicly >>>> disclosed (i.e. the tickets will be created and resolved at the same >>>> time). >>>> The good news is that we can create now all the tickets for the CVE >>>> processed so far in the history of OFBiz, in order to implement what >>>> Pierre >>>> has proposed here. >>>> >>>> Jacopo >>>> >>>> On Tue, Nov 29, 2016 at 10:47 AM, Pierre Smits <[email protected]> >>>> wrote: >>>> >>>> Hi all, >>>> >>>>> Recently we have seen some security issues fixed in the code base >>>>> (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in >>>>> identifying, analysing and fixing these OFBiz security threats. >>>>> >>>>> When I look at how we communicate to our adopters that there are >>>>> threats >>>>> and how they can be mitigated [1] I believe we could and we should do a >>>>> little bit more. There we merely put a reference to the CVE [2] issue >>>>> (see >>>>> [3] for example) there and and advice to upgrade. But on that page we >>>>> leave >>>>> out any particulars on how the issue affected OFBiz and what was done >>>>> to >>>>> it. Rightly so as it is just a list of notifications. >>>>> >>>>> The details about the effect of the issue and the mitigation is in >>>>> commits. >>>>> But there is no apparent relation between the notification on [1] and >>>>> the >>>>> actual commit that mitigated. Also reporting the CVE in JIRA issues not >>>>> optimal. This leads to the fact that details don't appear in release >>>>> notes >>>>> very well. >>>>> >>>>> I believe we could and should do better. We should *always* have a JIRA >>>>> issue explaining the CVE issue and its effect on the OFBiz product, >>>>> have >>>>> it >>>>> enhanced with the proper tags or labels (e.g. CVE/Security), and - like >>>>> any >>>>> other JIRA issue - have it showing with which commit(s) it has been >>>>> resolved and on which branch it has been implemented. >>>>> >>>>> With a proper filter definition on JIRA we can then shorten the >>>>> vulnerability section in [1] and have that link to that JIRA filter >>>>> definition. >>>>> >>>>> What do you think? >>>>> >>>>> References: >>>>> >>>>> - [1] http://ofbiz.apache.org/download.html >>>>> - [2] CVE: Common Vulnerability and Exposure >>>>> - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800 >>>>> >>>>> >>>>> Best regards, >>>>> >>>>> Pierre Smits >>>>> >>>>> ORRTIZ.COM <http://www.orrtiz.com> >>>>> OFBiz based solutions & services >>>>> >>>>> OFBiz Extensions Marketplace >>>>> http://oem.ofbizci.net/oci-2/ >>>>> >>>>> >>>>> >
