On 06/01/2010 12:01 PM, Thomas Mortagne wrote: > On Tue, Jun 1, 2010 at 10:57, Vincent Massol<[email protected]> wrote: >> >> On Jun 1, 2010, at 10:54 AM, Vincent Massol wrote: >> >>> >>> On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote: >>> >>>> >>>> On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: >>>> >>>>> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost<[email protected]> wrote: >>>>> >>>>>> >>>>>> I'll throw in my James Bond culture here.. >>>>>> >>>>>> The rule should be based on the "need-to-know" rule. >>>>>> >>>>>> We should let people that need to know the information towards the goals >>>>>> we >>>>>> are setting for this list. >>>>>> The goal of this list is at this point to allow people to discuss >>>>>> solutions >>>>>> to security issues in order to fix them while not making XWiki unusable. >>>>>> I don't think it is at this point to inform "admins" of potential >>>>>> security >>>>>> issue (that should be another annoucement list). >>>>>> >>>>>> So it should be about letting in people that prove they want to help. The >>>>>> lesser it seems they will help the more we need to trust them ! >>>>>> It's clearly a case by case basis >>>>>> >>>>>> I don't think we should worry about not having enough people in this >>>>>> list. >>>>>> Working on security issues is hard and requires dedication, so it's >>>>>> already >>>>>> a happy few list. >>>>>> We'll recognize them very quickly. >>>>>> >>>>>> Ludovic >>>>>> >>>>> >>>>> I am very +1 with Ludovic, and what has been publish on XWiki.org is >>>>> sufficient for me. >>>> >>>> For me too. The fact that it says "contributing" should prevent casual >>>> lurkers. >>>> >>>>> If anyone not fitting Vincent's rules should be in for >>>>> some other reason, a committers'vote should do, else, I not sure it is >>>>> required, an announcement on the security list should be enough. >>>>> Should committers do something to join ? >>>> >>>> I think Alex has aded us by default. Let me try to send an email to see if >>>> it works... >>> >>> They're not added. I'm adding them. >> >> Actually no, I think it's better to let committers decide if they want to >> join that list or not. >> >> Right now the following persons have been added: >> - Jerome >> - Ludovic >> - AlexB >> - Caleb >> - Denis >> - Raffaello >> - me >
> I would like to be part of it. Me too. Thanks, Marius > >> >> If other committers want to join, let me know here and I'll add you. >> >> Thanks >> -Vincent >> >>>>>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >>>>>> >>>>>> >>>>>>> Vincent Massol wrote: >>>>>>> >>>>>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>>>>>> >>>>>>>> >>>>>>>> Vincent Massol wrote: >>>>>>>>> >>>>>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The new mailing list [email protected] was created. All core >>>>>>>>>>> commiters >>>>>>>>>>> will be on this list. >>>>>>>>>>> >>>>>>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>>>>>> discussions about security issues. However, everyone can write to >>>>>>>>>>> this >>>>>>>>>>> mailing list, e.g. to report security issues (mails will be reviewed >>>>>>>>>>> by >>>>>>>>>>> the administrator first). >>>>>>>>>>> >>>>>>>>>>> If somebody else is interested in contributing to discussions on >>>>>>>>>>> that >>>>>>>>>>> list, he or she should write a mail on the dev-list asking for >>>>>>>>>>> access. >>>>>>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar to >>>>>>>>>>> a >>>>>>>>>>> proposal) this person will get access. >>>>>>>>>>> >>>>>>>>>>> We also need to define who can get access. IMO: >>>>>>>>>> - persons who have submitted security issues in jira >>>>>>>>>> - persons who've submitted security patches >>>>>>>>>> - persons who have been contributing to xwiki for a long time >>>>>>>>>> >>>>>>>>>> These seem like nice guidelines but must we disallow people who we >>>>>>>>>> all >>>>>>>>> know >>>>>>>>> will help the discussion because they don't meet the requirements? >>>>>>>>> >>>>>>>>> IMO we can't define what makes someone unsuitable for the list but >>>>>>>>> will >>>>>>>>> know >>>>>>>>> them when we see them. >>>>>>>>> >>>>>>>>> It's much better to have a list of examples of what constitutes a >>>>>>>>> valid >>>>>>>> request than not having it. This is useful not only for committers to >>>>>>>> vote >>>>>>>> but also for the person who ask so that he knows how to qualify. >>>>>>>> >>>>>>>> Otherwise voting is about thin air... and you're going to hurt people >>>>>>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>>>>>> >>>>>>>> Take this example: >>>>>>>> >>>>>>>> I'm someone who has installed XE at my company. I want to be sure I >>>>>>>> know >>>>>>>> about security issues and I'm even ok to take part in the discussion >>>>>>>> about >>>>>>>> these issues. I sent a mail to the dev list asking to be on that list. >>>>>>>> Note >>>>>>>> that I have not sent any prior email to the list but I have >>>>>>>> participated >>>>>>>> (for ex) to other open source projects. >>>>>>>> >>>>>>>> I have no problem defining what the list is for and what it's not for. >>>>>>> "This list is not here to provide information about exploits and how to >>>>>>> deal with them, only ask to join if you wish to help" >>>>>>> >>>>>>> If this hypothetical admin is also a programmer and knows a lot about >>>>>>> security patterns >>>>>>> then we would be wise to let them in. >>>>>>> >>>>>>> >>>>>>> How ar you going to reject me or accept me? And if you reject me you >>>>>>> need >>>>>>>> to give me a reason. What reason will it be? >>>>>>>> >>>>>>>> As you can see you'll have to list the reasons anyway and it's much >>>>>>>> better to do it upfront (even if the list is not complete) than not. >>>>>>>> >>>>>>>> Also if you reject me I'll be offended. I'm not a script kid. I'm >>>>>>>> someone >>>>>>>> honest and serious. How dare you reject me! This is not a real open >>>>>>>> source >>>>>>>> project! ;) >>>>>>>> >>>>>>>> What if somebody fits all of the requirements but has a history of >>>>>>> becoming bitter and publishing >>>>>>> security info about projects. Then if we reject them they will be that >>>>>>> much more angry because they >>>>>>> fit all of the rules. >>>>>>> >>>>>>> What about somebody who gets on the list by meeting the qualifications >>>>>>> then never sends anything, just (presumably) >>>>>>> logging the discussion? >>>>>>> >>>>>>> One final thought is we're probably making a mountain out of a mole >>>>>>> hill, >>>>>>> regulating who sees the secret jira issues has never been much of a >>>>>>> problem. >>>>>>> >>>>>>> >>>>>>> Thanks >>>>>>>> -Vincent >>>>>>>> >>>>>>>> >>>>>>>> Also it seems that rules stop people from doing the right thing while >>>>>>>>> people with bad intentions are usually more motivated and will thus >>>>>>>>> find >>>>>>>>> a way >>>>>>>>> around the rule. >>>>>>>>> >>>>>>>>> My +1 is for a case by case basis. >>>>>>>>> >>>>>>>>> Caleb >>>>>>>>> >>>>>>>>> >>>>>>>>> WDYT? >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> -Vincent >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Alex >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>>>>>> >>>>>>>>>>> Hello devs, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> I propose to introduce a security mailing list ([email protected]) >>>>>>>>>>>> to >>>>>>>>>>>> discuss details of security issues. >>>>>>>>>>>> >>>>>>>>>>>> This list should be private, with only committers and trusted >>>>>>>>>>>> contributors having read and write access. Anyone who proved his >>>>>>>>>>>> good >>>>>>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>>>>>> access >>>>>>>>>>>> to security-list through the usual vote procedure. >>>>>>>>>>>> >>>>>>>>>>>> The purpose of this list is to give a safe place to discuss details >>>>>>>>>>>> open >>>>>>>>>>>> security issues without giving all script kiddies in the world >>>>>>>>>>>> examples >>>>>>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>>>>>> list >>>>>>>>>>>> until the corresponding fix is released. >>>>>>>>>>>> >>>>>>>>>>>> WDYT? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Alex >>> >> >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs >> > > > _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
