On Jun 1, 2010, at 10:54 AM, Vincent Massol wrote: > > On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote: > >> >> On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: >> >>> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost <[email protected]> wrote: >>> >>>> >>>> I'll throw in my James Bond culture here.. >>>> >>>> The rule should be based on the "need-to-know" rule. >>>> >>>> We should let people that need to know the information towards the goals we >>>> are setting for this list. >>>> The goal of this list is at this point to allow people to discuss solutions >>>> to security issues in order to fix them while not making XWiki unusable. >>>> I don't think it is at this point to inform "admins" of potential security >>>> issue (that should be another annoucement list). >>>> >>>> So it should be about letting in people that prove they want to help. The >>>> lesser it seems they will help the more we need to trust them ! >>>> It's clearly a case by case basis >>>> >>>> I don't think we should worry about not having enough people in this list. >>>> Working on security issues is hard and requires dedication, so it's already >>>> a happy few list. >>>> We'll recognize them very quickly. >>>> >>>> Ludovic >>>> >>> >>> I am very +1 with Ludovic, and what has been publish on XWiki.org is >>> sufficient for me. >> >> For me too. The fact that it says "contributing" should prevent casual >> lurkers. >> >>> If anyone not fitting Vincent's rules should be in for >>> some other reason, a committers'vote should do, else, I not sure it is >>> required, an announcement on the security list should be enough. >>> Should committers do something to join ? >> >> I think Alex has aded us by default. Let me try to send an email to see if >> it works... > > They're not added. I'm adding them.
Actually no, I think it's better to let committers decide if they want to join that list or not. Right now the following persons have been added: - Jerome - Ludovic - AlexB - Caleb - Denis - Raffaello - me If other committers want to join, let me know here and I'll add you. Thanks -Vincent >>>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >>>> >>>> >>>>> Vincent Massol wrote: >>>>> >>>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>>>> >>>>>> >>>>>> Vincent Massol wrote: >>>>>>> >>>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>>>> >>>>>>>> >>>>>>>> Hello, >>>>>>>>> >>>>>>>>> >>>>>>>>> The new mailing list [email protected] was created. All core >>>>>>>>> commiters >>>>>>>>> will be on this list. >>>>>>>>> >>>>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>>>> discussions about security issues. However, everyone can write to >>>>>>>>> this >>>>>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>>>>> by >>>>>>>>> the administrator first). >>>>>>>>> >>>>>>>>> If somebody else is interested in contributing to discussions on that >>>>>>>>> list, he or she should write a mail on the dev-list asking for access. >>>>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to a >>>>>>>>> proposal) this person will get access. >>>>>>>>> >>>>>>>>> We also need to define who can get access. IMO: >>>>>>>> - persons who have submitted security issues in jira >>>>>>>> - persons who've submitted security patches >>>>>>>> - persons who have been contributing to xwiki for a long time >>>>>>>> >>>>>>>> These seem like nice guidelines but must we disallow people who we all >>>>>>> know >>>>>>> will help the discussion because they don't meet the requirements? >>>>>>> >>>>>>> IMO we can't define what makes someone unsuitable for the list but will >>>>>>> know >>>>>>> them when we see them. >>>>>>> >>>>>>> It's much better to have a list of examples of what constitutes a valid >>>>>> request than not having it. This is useful not only for committers to >>>>>> vote >>>>>> but also for the person who ask so that he knows how to qualify. >>>>>> >>>>>> Otherwise voting is about thin air... and you're going to hurt people >>>>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>>>> >>>>>> Take this example: >>>>>> >>>>>> I'm someone who has installed XE at my company. I want to be sure I know >>>>>> about security issues and I'm even ok to take part in the discussion >>>>>> about >>>>>> these issues. I sent a mail to the dev list asking to be on that list. >>>>>> Note >>>>>> that I have not sent any prior email to the list but I have participated >>>>>> (for ex) to other open source projects. >>>>>> >>>>>> I have no problem defining what the list is for and what it's not for. >>>>> "This list is not here to provide information about exploits and how to >>>>> deal with them, only ask to join if you wish to help" >>>>> >>>>> If this hypothetical admin is also a programmer and knows a lot about >>>>> security patterns >>>>> then we would be wise to let them in. >>>>> >>>>> >>>>> How ar you going to reject me or accept me? And if you reject me you need >>>>>> to give me a reason. What reason will it be? >>>>>> >>>>>> As you can see you'll have to list the reasons anyway and it's much >>>>>> better to do it upfront (even if the list is not complete) than not. >>>>>> >>>>>> Also if you reject me I'll be offended. I'm not a script kid. I'm someone >>>>>> honest and serious. How dare you reject me! This is not a real open >>>>>> source >>>>>> project! ;) >>>>>> >>>>>> What if somebody fits all of the requirements but has a history of >>>>> becoming bitter and publishing >>>>> security info about projects. Then if we reject them they will be that >>>>> much more angry because they >>>>> fit all of the rules. >>>>> >>>>> What about somebody who gets on the list by meeting the qualifications >>>>> then never sends anything, just (presumably) >>>>> logging the discussion? >>>>> >>>>> One final thought is we're probably making a mountain out of a mole hill, >>>>> regulating who sees the secret jira issues has never been much of a >>>>> problem. >>>>> >>>>> >>>>> Thanks >>>>>> -Vincent >>>>>> >>>>>> >>>>>> Also it seems that rules stop people from doing the right thing while >>>>>>> people with bad intentions are usually more motivated and will thus find >>>>>>> a way >>>>>>> around the rule. >>>>>>> >>>>>>> My +1 is for a case by case basis. >>>>>>> >>>>>>> Caleb >>>>>>> >>>>>>> >>>>>>> WDYT? >>>>>>>> >>>>>>>> Thanks >>>>>>>> -Vincent >>>>>>>> >>>>>>>> >>>>>>>> Alex >>>>>>>>> >>>>>>>>> >>>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>>>> >>>>>>>>> Hello devs, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I propose to introduce a security mailing list ([email protected]) >>>>>>>>>> to >>>>>>>>>> discuss details of security issues. >>>>>>>>>> >>>>>>>>>> This list should be private, with only committers and trusted >>>>>>>>>> contributors having read and write access. Anyone who proved his good >>>>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>>>> access >>>>>>>>>> to security-list through the usual vote procedure. >>>>>>>>>> >>>>>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>>>>> open >>>>>>>>>> security issues without giving all script kiddies in the world >>>>>>>>>> examples >>>>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>>>> list >>>>>>>>>> until the corresponding fix is released. >>>>>>>>>> >>>>>>>>>> WDYT? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Alex > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
