On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote: > > On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: > >> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost <[email protected]> wrote: >> >>> >>> I'll throw in my James Bond culture here.. >>> >>> The rule should be based on the "need-to-know" rule. >>> >>> We should let people that need to know the information towards the goals we >>> are setting for this list. >>> The goal of this list is at this point to allow people to discuss solutions >>> to security issues in order to fix them while not making XWiki unusable. >>> I don't think it is at this point to inform "admins" of potential security >>> issue (that should be another annoucement list). >>> >>> So it should be about letting in people that prove they want to help. The >>> lesser it seems they will help the more we need to trust them ! >>> It's clearly a case by case basis >>> >>> I don't think we should worry about not having enough people in this list. >>> Working on security issues is hard and requires dedication, so it's already >>> a happy few list. >>> We'll recognize them very quickly. >>> >>> Ludovic >>> >> >> I am very +1 with Ludovic, and what has been publish on XWiki.org is >> sufficient for me. > > For me too. The fact that it says "contributing" should prevent casual > lurkers. > >> If anyone not fitting Vincent's rules should be in for >> some other reason, a committers'vote should do, else, I not sure it is >> required, an announcement on the security list should be enough. >> Should committers do something to join ? > > I think Alex has aded us by default. Let me try to send an email to see if it > works...
They're not added. I'm adding them. Thanks -Vincent > > Thanks > -Vincent > >> Denis >> >> >>> >>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >>> >>> >>>> Vincent Massol wrote: >>>> >>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>>> >>>>> >>>>> Vincent Massol wrote: >>>>>> >>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>>> >>>>>>>> >>>>>>>> The new mailing list [email protected] was created. All core >>>>>>>> commiters >>>>>>>> will be on this list. >>>>>>>> >>>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>>> discussions about security issues. However, everyone can write to >>>>>>>> this >>>>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>>>> by >>>>>>>> the administrator first). >>>>>>>> >>>>>>>> If somebody else is interested in contributing to discussions on that >>>>>>>> list, he or she should write a mail on the dev-list asking for access. >>>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to a >>>>>>>> proposal) this person will get access. >>>>>>>> >>>>>>>> We also need to define who can get access. IMO: >>>>>>> - persons who have submitted security issues in jira >>>>>>> - persons who've submitted security patches >>>>>>> - persons who have been contributing to xwiki for a long time >>>>>>> >>>>>>> These seem like nice guidelines but must we disallow people who we all >>>>>> know >>>>>> will help the discussion because they don't meet the requirements? >>>>>> >>>>>> IMO we can't define what makes someone unsuitable for the list but will >>>>>> know >>>>>> them when we see them. >>>>>> >>>>>> It's much better to have a list of examples of what constitutes a valid >>>>> request than not having it. This is useful not only for committers to vote >>>>> but also for the person who ask so that he knows how to qualify. >>>>> >>>>> Otherwise voting is about thin air... and you're going to hurt people >>>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>>> >>>>> Take this example: >>>>> >>>>> I'm someone who has installed XE at my company. I want to be sure I know >>>>> about security issues and I'm even ok to take part in the discussion about >>>>> these issues. I sent a mail to the dev list asking to be on that list. >>>>> Note >>>>> that I have not sent any prior email to the list but I have participated >>>>> (for ex) to other open source projects. >>>>> >>>>> I have no problem defining what the list is for and what it's not for. >>>> "This list is not here to provide information about exploits and how to >>>> deal with them, only ask to join if you wish to help" >>>> >>>> If this hypothetical admin is also a programmer and knows a lot about >>>> security patterns >>>> then we would be wise to let them in. >>>> >>>> >>>> How ar you going to reject me or accept me? And if you reject me you need >>>>> to give me a reason. What reason will it be? >>>>> >>>>> As you can see you'll have to list the reasons anyway and it's much >>>>> better to do it upfront (even if the list is not complete) than not. >>>>> >>>>> Also if you reject me I'll be offended. I'm not a script kid. I'm someone >>>>> honest and serious. How dare you reject me! This is not a real open source >>>>> project! ;) >>>>> >>>>> What if somebody fits all of the requirements but has a history of >>>> becoming bitter and publishing >>>> security info about projects. Then if we reject them they will be that >>>> much more angry because they >>>> fit all of the rules. >>>> >>>> What about somebody who gets on the list by meeting the qualifications >>>> then never sends anything, just (presumably) >>>> logging the discussion? >>>> >>>> One final thought is we're probably making a mountain out of a mole hill, >>>> regulating who sees the secret jira issues has never been much of a >>>> problem. >>>> >>>> >>>> Thanks >>>>> -Vincent >>>>> >>>>> >>>>> Also it seems that rules stop people from doing the right thing while >>>>>> people with bad intentions are usually more motivated and will thus find >>>>>> a way >>>>>> around the rule. >>>>>> >>>>>> My +1 is for a case by case basis. >>>>>> >>>>>> Caleb >>>>>> >>>>>> >>>>>> WDYT? >>>>>>> >>>>>>> Thanks >>>>>>> -Vincent >>>>>>> >>>>>>> >>>>>>> Alex >>>>>>>> >>>>>>>> >>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>>> >>>>>>>> Hello devs, >>>>>>>>> >>>>>>>>> >>>>>>>>> I propose to introduce a security mailing list ([email protected]) >>>>>>>>> to >>>>>>>>> discuss details of security issues. >>>>>>>>> >>>>>>>>> This list should be private, with only committers and trusted >>>>>>>>> contributors having read and write access. Anyone who proved his good >>>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>>> access >>>>>>>>> to security-list through the usual vote procedure. >>>>>>>>> >>>>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>>>> open >>>>>>>>> security issues without giving all script kiddies in the world >>>>>>>>> examples >>>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>>> list >>>>>>>>> until the corresponding fix is released. >>>>>>>>> >>>>>>>>> WDYT? >>>>>>>>> >>>>>>>>> >>>>>>>>> Alex _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
