A couple thoughts: +1 Ludovic's idea. Even the nicest people should have some valid reason for being there. Also this means a -1 is not judgment of the person but rather their reason.
Maybe the history should not be made available to the subscribers? With the list history, someone with bad intentions can get a lot of info quickly. Is there a valid need for the list history to be available to all members? Caleb Marius Dumitru Florea wrote: > On 06/01/2010 12:01 PM, Thomas Mortagne wrote: >> On Tue, Jun 1, 2010 at 10:57, Vincent Massol<[email protected]> wrote: >>> On Jun 1, 2010, at 10:54 AM, Vincent Massol wrote: >>> >>>> On Jun 1, 2010, at 9:45 AM, Vincent Massol wrote: >>>> >>>>> On Jun 1, 2010, at 9:19 AM, Denis Gervalle wrote: >>>>> >>>>>> On Tue, Jun 1, 2010 at 00:52, Ludovic Dubost<[email protected]> wrote: >>>>>> >>>>>>> I'll throw in my James Bond culture here.. >>>>>>> >>>>>>> The rule should be based on the "need-to-know" rule. >>>>>>> >>>>>>> We should let people that need to know the information towards the >>>>>>> goals we >>>>>>> are setting for this list. >>>>>>> The goal of this list is at this point to allow people to discuss >>>>>>> solutions >>>>>>> to security issues in order to fix them while not making XWiki unusable. >>>>>>> I don't think it is at this point to inform "admins" of potential >>>>>>> security >>>>>>> issue (that should be another annoucement list). >>>>>>> >>>>>>> So it should be about letting in people that prove they want to help. >>>>>>> The >>>>>>> lesser it seems they will help the more we need to trust them ! >>>>>>> It's clearly a case by case basis >>>>>>> >>>>>>> I don't think we should worry about not having enough people in this >>>>>>> list. >>>>>>> Working on security issues is hard and requires dedication, so it's >>>>>>> already >>>>>>> a happy few list. >>>>>>> We'll recognize them very quickly. >>>>>>> >>>>>>> Ludovic >>>>>>> >>>>>> I am very +1 with Ludovic, and what has been publish on XWiki.org is >>>>>> sufficient for me. >>>>> For me too. The fact that it says "contributing" should prevent casual >>>>> lurkers. >>>>> >>>>>> If anyone not fitting Vincent's rules should be in for >>>>>> some other reason, a committers'vote should do, else, I not sure it is >>>>>> required, an announcement on the security list should be enough. >>>>>> Should committers do something to join ? >>>>> I think Alex has aded us by default. Let me try to send an email to see >>>>> if it works... >>>> They're not added. I'm adding them. >>> Actually no, I think it's better to let committers decide if they want to >>> join that list or not. >>> >>> Right now the following persons have been added: >>> - Jerome >>> - Ludovic >>> - AlexB >>> - Caleb >>> - Denis >>> - Raffaello >>> - me > >> I would like to be part of it. > > Me too. > > Thanks, > Marius > >>> If other committers want to join, let me know here and I'll add you. >>> >>> Thanks >>> -Vincent >>> >>>>>>> Le 31/05/10 18:53, Caleb James DeLisle a écrit : >>>>>>> >>>>>>> >>>>>>>> Vincent Massol wrote: >>>>>>>> >>>>>>>> On May 31, 2010, at 6:18 PM, Caleb James DeLisle wrote: >>>>>>>>> >>>>>>>>> Vincent Massol wrote: >>>>>>>>>> On May 31, 2010, at 5:02 PM, Alex Busenius wrote: >>>>>>>>>>> >>>>>>>>>>> Hello, >>>>>>>>>>>> >>>>>>>>>>>> The new mailing list [email protected] was created. All core >>>>>>>>>>>> commiters >>>>>>>>>>>> will be on this list. >>>>>>>>>>>> >>>>>>>>>>>> This is *not* an announcement list, it is meant for technical >>>>>>>>>>>> discussions about security issues. However, everyone can write to >>>>>>>>>>>> this >>>>>>>>>>>> mailing list, e.g. to report security issues (mails will be >>>>>>>>>>>> reviewed >>>>>>>>>>>> by >>>>>>>>>>>> the administrator first). >>>>>>>>>>>> >>>>>>>>>>>> If somebody else is interested in contributing to discussions on >>>>>>>>>>>> that >>>>>>>>>>>> list, he or she should write a mail on the dev-list asking for >>>>>>>>>>>> access. >>>>>>>>>>>> If the commiters agree (meaning that nobody is -1 on it, similar >>>>>>>>>>>> to a >>>>>>>>>>>> proposal) this person will get access. >>>>>>>>>>>> >>>>>>>>>>>> We also need to define who can get access. IMO: >>>>>>>>>>> - persons who have submitted security issues in jira >>>>>>>>>>> - persons who've submitted security patches >>>>>>>>>>> - persons who have been contributing to xwiki for a long time >>>>>>>>>>> >>>>>>>>>>> These seem like nice guidelines but must we disallow people who we >>>>>>>>>>> all >>>>>>>>>> know >>>>>>>>>> will help the discussion because they don't meet the requirements? >>>>>>>>>> >>>>>>>>>> IMO we can't define what makes someone unsuitable for the list but >>>>>>>>>> will >>>>>>>>>> know >>>>>>>>>> them when we see them. >>>>>>>>>> >>>>>>>>>> It's much better to have a list of examples of what constitutes a >>>>>>>>>> valid >>>>>>>>> request than not having it. This is useful not only for committers to >>>>>>>>> vote >>>>>>>>> but also for the person who ask so that he knows how to qualify. >>>>>>>>> >>>>>>>>> Otherwise voting is about thin air... and you're going to hurt people >>>>>>>>> Caleb (+ generate unnecessary requests, votes and rejections). >>>>>>>>> >>>>>>>>> Take this example: >>>>>>>>> >>>>>>>>> I'm someone who has installed XE at my company. I want to be sure I >>>>>>>>> know >>>>>>>>> about security issues and I'm even ok to take part in the discussion >>>>>>>>> about >>>>>>>>> these issues. I sent a mail to the dev list asking to be on that >>>>>>>>> list. Note >>>>>>>>> that I have not sent any prior email to the list but I have >>>>>>>>> participated >>>>>>>>> (for ex) to other open source projects. >>>>>>>>> >>>>>>>>> I have no problem defining what the list is for and what it's not for. >>>>>>>> "This list is not here to provide information about exploits and how to >>>>>>>> deal with them, only ask to join if you wish to help" >>>>>>>> >>>>>>>> If this hypothetical admin is also a programmer and knows a lot about >>>>>>>> security patterns >>>>>>>> then we would be wise to let them in. >>>>>>>> >>>>>>>> >>>>>>>> How ar you going to reject me or accept me? And if you reject me you >>>>>>>> need >>>>>>>>> to give me a reason. What reason will it be? >>>>>>>>> >>>>>>>>> As you can see you'll have to list the reasons anyway and it's much >>>>>>>>> better to do it upfront (even if the list is not complete) than not. >>>>>>>>> >>>>>>>>> Also if you reject me I'll be offended. I'm not a script kid. I'm >>>>>>>>> someone >>>>>>>>> honest and serious. How dare you reject me! This is not a real open >>>>>>>>> source >>>>>>>>> project! ;) >>>>>>>>> >>>>>>>>> What if somebody fits all of the requirements but has a history of >>>>>>>> becoming bitter and publishing >>>>>>>> security info about projects. Then if we reject them they will be that >>>>>>>> much more angry because they >>>>>>>> fit all of the rules. >>>>>>>> >>>>>>>> What about somebody who gets on the list by meeting the qualifications >>>>>>>> then never sends anything, just (presumably) >>>>>>>> logging the discussion? >>>>>>>> >>>>>>>> One final thought is we're probably making a mountain out of a mole >>>>>>>> hill, >>>>>>>> regulating who sees the secret jira issues has never been much of a >>>>>>>> problem. >>>>>>>> >>>>>>>> >>>>>>>> Thanks >>>>>>>>> -Vincent >>>>>>>>> >>>>>>>>> >>>>>>>>> Also it seems that rules stop people from doing the right thing while >>>>>>>>>> people with bad intentions are usually more motivated and will thus >>>>>>>>>> find >>>>>>>>>> a way >>>>>>>>>> around the rule. >>>>>>>>>> >>>>>>>>>> My +1 is for a case by case basis. >>>>>>>>>> >>>>>>>>>> Caleb >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> WDYT? >>>>>>>>>>> Thanks >>>>>>>>>>> -Vincent >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Alex >>>>>>>>>>>> >>>>>>>>>>>> On 05/26/2010 01:02 PM, Alex Busenius wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello devs, >>>>>>>>>>>>> >>>>>>>>>>>>> I propose to introduce a security mailing list >>>>>>>>>>>>> ([email protected]) >>>>>>>>>>>>> to >>>>>>>>>>>>> discuss details of security issues. >>>>>>>>>>>>> >>>>>>>>>>>>> This list should be private, with only committers and trusted >>>>>>>>>>>>> contributors having read and write access. Anyone who proved his >>>>>>>>>>>>> good >>>>>>>>>>>>> intentions on the dev-list and bug tracker should be able to get >>>>>>>>>>>>> access >>>>>>>>>>>>> to security-list through the usual vote procedure. >>>>>>>>>>>>> >>>>>>>>>>>>> The purpose of this list is to give a safe place to discuss >>>>>>>>>>>>> details >>>>>>>>>>>>> open >>>>>>>>>>>>> security issues without giving all script kiddies in the world >>>>>>>>>>>>> examples >>>>>>>>>>>>> to write exploits. The discussions should be kept on this private >>>>>>>>>>>>> list >>>>>>>>>>>>> until the corresponding fix is released. >>>>>>>>>>>>> >>>>>>>>>>>>> WDYT? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Alex >>> _______________________________________________ >>> devs mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/devs >>> >> >> > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
