On 8/31/07, Mark Brouwer <[EMAIL PROTECTED]> wrote: > > Jools wrote: > > > If a security issues was found in river, I'd prefer that it be discussed > > with a little privacy until the nature of the issue was fully > understood, > > and the possible issues which users of river may be exposed to should > they > > fail to patch their systems. > > > > All issues will ultimately become visible via JIRA, and should anybody > > involved in the project wish to make a constructive comment, I would > suggest > > that be the place to do it. > > Good point, AFAIK there has is no special field yet to mark an issue as > a security issue in which case only committers can see it and its > details. This is possible in JIRA to achieve as I've done the same thing > for Cheiron. > > What is the opinion on dealing with security issues? My personal opinion > would be the include a special "Security Level" field that has 2 > options: "None" and "Security risk" or to have the problem mailed to one > of the committers who can take care of entering it in JIRA. We can use > the private PMC list for discussing the matter.
I'd prefer it discussed on the private PMC list, transfered to JIRA using the above mentioned security notation. Once the issues has been resolved and a fix specified, then it should be come public. I'm sure this will be a 'once in a blue moon' type thing, but it's better to be ahead of the curve :-) > My personal preference would be as follows; > > > > 1) Issue gets raised on mailing list. > > 2) If the issue is genuine, then raise a JIRA id for it. > > 3) Add yourself as interested in the id, and you will be notified of > > changes. > > 4) If you feel the need to comment, it will be recorded in the right > place, > > once. No need for any copying. > > Ok, I was thinking earlier on you were refering to remarks related to > the actual code reviewing. I would expect all comments, be they review or otherwise to be added to the JIRA report. --Jools
