Sometimes there is a grey area between a security vulnerability and a really nice feature. I think it is important that everyone understand what a user should be able to do and what a user should not be able to do since "that's not a bug, that's a feature" is cold comfort to a user who just discovered that his security requirements were not met. Also, having a standard laid down will allow us to better classify security issues if they are discovered (I can proudly say that we have improved here by leaps and bounds) I have a draft document which attempts to detail that line between bug and feature and I think it is time to move it into main space.
http://dev.xwiki.org/xwiki/bin/view/Drafts/Security+Specifications WDYT? Caleb _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
