On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost <[email protected]> wrote:
> > I'll throw in my James Bond culture here.. > > The rule should be based on the "need-to-know" rule. > > We should let people that need to know the information towards the goals we > are setting for this list. > The goal of this list is at this point to allow people to discuss solutions > to security issues in order to fix them while not making XWiki unusable. > I don't think it is at this point to inform "admins" of potential security > issue (that should be another annoucement list). > > So it should be about letting in people that prove they want to help. The > lesser it seems they will help the more we need to trust them ! > It's clearly a case by case basis > > I don't think we should worry about not having enough people in this list. > Working on security issues is hard and requires dedication, so it's already > a happy few list. > We'll recognize them very quickly. > > Ludovic > I am very +1 with Ludovic, and what has been publish on XWiki.org is sufficient for me. If anyone not fitting Vincent's rules should be in for some other reason, a committers'vote should do, else, I not sure it is required, an announcement on the security list should be enough. Should committers do something to join ? Denis > > Le 31/05/10 18:53, Caleb James DeLisle a écrit : > > >> Vincent Massol wrote: >> >> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>> >>> >>> Vincent Massol wrote: >>>> >>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>> >>>>> >>>>> Hello, >>>>>> >>>>>> >>>>>> The new mailing list [email protected] was created. All core >>>>>> commiters >>>>>> will be on this list. >>>>>> >>>>>> This is *not* an announcement list, it is meant for technical >>>>>> discussions about security issues. However, everyone can write to >>>>>> this >>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>> by >>>>>> the administrator first). >>>>>> >>>>>> If somebody else is interested in contributing to discussions on that >>>>>> list, he or she should write a mail on the dev-list asking for access. >>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to a >>>>>> proposal) this person will get access. >>>>>> >>>>>> We also need to define who can get access. IMO: >>>>> - persons who have submitted security issues in jira >>>>> - persons who've submitted security patches >>>>> - persons who have been contributing to xwiki for a long time >>>>> >>>>> These seem like nice guidelines but must we disallow people who we all >>>> know >>>> will help the discussion because they don't meet the requirements? >>>> >>>> IMO we can't define what makes someone unsuitable for the list but will >>>> know >>>> them when we see them. >>>> >>>> It's much better to have a list of examples of what constitutes a valid >>> request than not having it. This is useful not only for committers to vote >>> but also for the person who ask so that he knows how to qualify. >>> >>> Otherwise voting is about thin air... and you're going to hurt people >>> Caleb (+ generate unnecessary requests, votes and rejections). >>> >>> Take this example: >>> >>> I'm someone who has installed XE at my company. I want to be sure I know >>> about security issues and I'm even ok to take part in the discussion about >>> these issues. I sent a mail to the dev list asking to be on that list. Note >>> that I have not sent any prior email to the list but I have participated >>> (for ex) to other open source projects. >>> >>> I have no problem defining what the list is for and what it's not for. >> "This list is not here to provide information about exploits and how to >> deal with them, only ask to join if you wish to help" >> >> If this hypothetical admin is also a programmer and knows a lot about >> security patterns >> then we would be wise to let them in. >> >> >> How ar you going to reject me or accept me? And if you reject me you need >>> to give me a reason. What reason will it be? >>> >>> As you can see you'll have to list the reasons anyway and it's much >>> better to do it upfront (even if the list is not complete) than not. >>> >>> Also if you reject me I'll be offended. I'm not a script kid. I'm someone >>> honest and serious. How dare you reject me! This is not a real open source >>> project! ;) >>> >>> What if somebody fits all of the requirements but has a history of >> becoming bitter and publishing >> security info about projects. Then if we reject them they will be that >> much more angry because they >> fit all of the rules. >> >> What about somebody who gets on the list by meeting the qualifications >> then never sends anything, just (presumably) >> logging the discussion? >> >> One final thought is we're probably making a mountain out of a mole hill, >> regulating who sees the secret jira issues has never been much of a problem. >> >> >> Thanks >>> -Vincent >>> >>> >>> Also it seems that rules stop people from doing the right thing while >>>> people with bad intentions are usually more motivated and will thus find >>>> a way >>>> around the rule. >>>> >>>> My +1 is for a case by case basis. >>>> >>>> Caleb >>>> >>>> >>>> WDYT? >>>>> >>>>> Thanks >>>>> -Vincent >>>>> >>>>> >>>>> Alex >>>>>> >>>>>> >>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>> >>>>>> Hello devs, >>>>>>> >>>>>>> >>>>>>> I propose to introduce a security mailing list ([email protected]) >>>>>>> to >>>>>>> discuss details of security issues. >>>>>>> >>>>>>> This list should be private, with only committers and trusted >>>>>>> contributors having read and write access. Anyone who proved his good >>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>> access >>>>>>> to security-list through the usual vote procedure. >>>>>>> >>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>> open >>>>>>> security issues without giving all script kiddies in the world >>>>>>> examples >>>>>>> to write exploits. The discussions should be kept on this private >>>>>>> list >>>>>>> until the corresponding fix is released. >>>>>>> >>>>>>> WDYT? >>>>>>> >>>>>>> >>>>>>> Alex >>>>>>> >>>>>>> _______________________________________________ >>>>> devs mailing list >>>>> [email protected] >>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>> >>>>> >>>>> _______________________________________________ >>>> devs mailing list >>>> [email protected] >>>> http://lists.xwiki.org/mailman/listinfo/devs >>>> >>>> _______________________________________________ >>> devs mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> >>> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> >> >> > > -- > Ludovic Dubost > Blog: http://blog.ludovic.org/ > XWiki: http://www.xwiki.com > Skype: ldubost GTalk: ldubost > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > > -- Denis Gervalle SOFTEC sa - CEO eGuilde sarl - CTO _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
