On Saturday, 9 June 2018 at 21:52:59 UTC, Seb wrote:
On Saturday, 9 June 2018 at 19:03:59 UTC, Cym13 wrote:
Yop.
I need to discuss an issue related to dub. No need to alarm
everyone yet, that only concerns 1.3% of dub projects, but
still it's something that shouldn't be taken lightly.
Who should I contact?
Sönke, Martin und myself.
https://github.com/s-ludwig (look in the DUB git log for his
email address)
https://github.com/MartinNowak
https://github.com/wilzbach
Thank you, the mail should be in your box already.
I'd very very much like to have something like a
[email protected] for such things, it's not the first and
likely not the last time this need arises, and the lack of a
clear procedure doesn't encourage coordinated disclosure.
I will try to get this email address setup.
At least we already have an official GPG keyring:
https://dlang.org/gpg_keys.html
Having the address will be a very good start, thank you.
For comparison the PHP project has two things that I enjoyed when
disclosing bugs:
1. Security guidelines (https://wiki.php.net/security) that
clearly state
what they consider a vulnerability and what isn't. I find it
very well
designed and it could be an inspiration for a D security
guideline even
though we're not having too many vulnerabilities disclosed
right now as
far as I know.
2. They configured their bugzilla so that when the category
"security" is
used the bug is made private and only the proper team is put
in copy. I
don't know how easy it is so an email address seems more
practical right
now I think. Note that this is in complement to
[email protected] which
they use mostly for security related talk but not bug reports.
Anyway, I'm not sure we need all this right now, but I'd rather
start the discussion early.
