On Tue, Jun 1, 2010 at 10:57, Vincent Massol <[email protected]> wrote: > > On Jun 1, 2010, at 10:54 AM, Vincent Massol wrote: > >> >> On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote: >> >>> >>> On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: >>> >>>> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost <[email protected]> wrote: >>>> >>>>> >>>>> I'll throw in my James Bond culture here.. >>>>> >>>>> The rule should be based on the "need-to-know" rule. >>>>> >>>>> We should let people that need to know the information towards the goals >>>>> we >>>>> are setting for this list. >>>>> The goal of this list is at this point to allow people to discuss >>>>> solutions >>>>> to security issues in order to fix them while not making XWiki unusable. >>>>> I don't think it is at this point to inform "admins" of potential security >>>>> issue (that should be another annoucement list). >>>>> >>>>> So it should be about letting in people that prove they want to help. The >>>>> lesser it seems they will help the more we need to trust them ! >>>>> It's clearly a case by case basis >>>>> >>>>> I don't think we should worry about not having enough people in this list. >>>>> Working on security issues is hard and requires dedication, so it's >>>>> already >>>>> a happy few list. >>>>> We'll recognize them very quickly. >>>>> >>>>> Ludovic >>>>> >>>> >>>> I am very +1 with Ludovic, and what has been publish on XWiki.org is >>>> sufficient for me. >>> >>> For me too. The fact that it says "contributing" should prevent casual >>> lurkers. >>> >>>> If anyone not fitting Vincent's rules should be in for >>>> some other reason, a committers'vote should do, else, I not sure it is >>>> required, an announcement on the security list should be enough. >>>> Should committers do something to join ? >>> >>> I think Alex has aded us by default. Let me try to send an email to see if >>> it works... >> >> They're not added. I'm adding them. > > Actually no, I think it's better to let committers decide if they want to > join that list or not. > > Right now the following persons have been added: > - Jerome > - Ludovic > - AlexB > - Caleb > - Denis > - Raffaello > - me
I would like to be part of it. > > If other committers want to join, let me know here and I'll add you. > > Thanks > -Vincent > >>>>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >>>>> >>>>> >>>>>> Vincent Massol wrote: >>>>>> >>>>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>>>>> >>>>>>> >>>>>>> Vincent Massol wrote: >>>>>>>> >>>>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The new mailing list [email protected] was created. All core >>>>>>>>>> commiters >>>>>>>>>> will be on this list. >>>>>>>>>> >>>>>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>>>>> discussions about security issues. However, everyone can write to >>>>>>>>>> this >>>>>>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>>>>>> by >>>>>>>>>> the administrator first). >>>>>>>>>> >>>>>>>>>> If somebody else is interested in contributing to discussions on that >>>>>>>>>> list, he or she should write a mail on the dev-list asking for >>>>>>>>>> access. >>>>>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to a >>>>>>>>>> proposal) this person will get access. >>>>>>>>>> >>>>>>>>>> We also need to define who can get access. IMO: >>>>>>>>> - persons who have submitted security issues in jira >>>>>>>>> - persons who've submitted security patches >>>>>>>>> - persons who have been contributing to xwiki for a long time >>>>>>>>> >>>>>>>>> These seem like nice guidelines but must we disallow people who we all >>>>>>>> know >>>>>>>> will help the discussion because they don't meet the requirements? >>>>>>>> >>>>>>>> IMO we can't define what makes someone unsuitable for the list but will >>>>>>>> know >>>>>>>> them when we see them. >>>>>>>> >>>>>>>> It's much better to have a list of examples of what constitutes a valid >>>>>>> request than not having it. This is useful not only for committers to >>>>>>> vote >>>>>>> but also for the person who ask so that he knows how to qualify. >>>>>>> >>>>>>> Otherwise voting is about thin air... and you're going to hurt people >>>>>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>>>>> >>>>>>> Take this example: >>>>>>> >>>>>>> I'm someone who has installed XE at my company. I want to be sure I know >>>>>>> about security issues and I'm even ok to take part in the discussion >>>>>>> about >>>>>>> these issues. I sent a mail to the dev list asking to be on that list. >>>>>>> Note >>>>>>> that I have not sent any prior email to the list but I have participated >>>>>>> (for ex) to other open source projects. >>>>>>> >>>>>>> I have no problem defining what the list is for and what it's not for. >>>>>> "This list is not here to provide information about exploits and how to >>>>>> deal with them, only ask to join if you wish to help" >>>>>> >>>>>> If this hypothetical admin is also a programmer and knows a lot about >>>>>> security patterns >>>>>> then we would be wise to let them in. >>>>>> >>>>>> >>>>>> How ar you going to reject me or accept me? And if you reject me you need >>>>>>> to give me a reason. What reason will it be? >>>>>>> >>>>>>> As you can see you'll have to list the reasons anyway and it's much >>>>>>> better to do it upfront (even if the list is not complete) than not. >>>>>>> >>>>>>> Also if you reject me I'll be offended. I'm not a script kid. I'm >>>>>>> someone >>>>>>> honest and serious. How dare you reject me! This is not a real open >>>>>>> source >>>>>>> project! ;) >>>>>>> >>>>>>> What if somebody fits all of the requirements but has a history of >>>>>> becoming bitter and publishing >>>>>> security info about projects. Then if we reject them they will be that >>>>>> much more angry because they >>>>>> fit all of the rules. >>>>>> >>>>>> What about somebody who gets on the list by meeting the qualifications >>>>>> then never sends anything, just (presumably) >>>>>> logging the discussion? >>>>>> >>>>>> One final thought is we're probably making a mountain out of a mole hill, >>>>>> regulating who sees the secret jira issues has never been much of a >>>>>> problem. >>>>>> >>>>>> >>>>>> Thanks >>>>>>> -Vincent >>>>>>> >>>>>>> >>>>>>> Also it seems that rules stop people from doing the right thing while >>>>>>>> people with bad intentions are usually more motivated and will thus >>>>>>>> find >>>>>>>> a way >>>>>>>> around the rule. >>>>>>>> >>>>>>>> My +1 is for a case by case basis. >>>>>>>> >>>>>>>> Caleb >>>>>>>> >>>>>>>> >>>>>>>> WDYT? >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> -Vincent >>>>>>>>> >>>>>>>>> >>>>>>>>> Alex >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>>>>> >>>>>>>>>> Hello devs, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> I propose to introduce a security mailing list ([email protected]) >>>>>>>>>>> to >>>>>>>>>>> discuss details of security issues. >>>>>>>>>>> >>>>>>>>>>> This list should be private, with only committers and trusted >>>>>>>>>>> contributors having read and write access. Anyone who proved his >>>>>>>>>>> good >>>>>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>>>>> access >>>>>>>>>>> to security-list through the usual vote procedure. >>>>>>>>>>> >>>>>>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>>>>>> open >>>>>>>>>>> security issues without giving all script kiddies in the world >>>>>>>>>>> examples >>>>>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>>>>> list >>>>>>>>>>> until the corresponding fix is released. >>>>>>>>>>> >>>>>>>>>>> WDYT? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Alex >> > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs > -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
