"How do I handle security -related issues on River?"
Sounds like process to me...
Mark: I was keying off your ideas on this from the email
thread, as well as your dialog with Jools and others.
I see the conflict if the field is named a certain way (e.g.,
"Security Issue", but maybe that could be accommodated
by changing the field name to "Security Issue Under Committer
Discussion"
or some such -- indicating that the issue is sensitive at this
stage (when marked) and needs to be private among the
Committers. Thus, when unchecked, it's still a security issue,
just not under Committer private discussion.
Happy to go with an alternative suggestion here if anyone
has one.
thanks -Jim
On Sep 6, 2007, at 4:36 AM, Mark Brouwer wrote:
Hi Jim,
I respond separate on "Handling security -related issues" as it has
not that much to do with the process, merely a technical remark.
Handling security -related issues
Enable a special field in JIRA to mark an issue as a security
issue and restrict access to the JIRA issue to the PPMC and
committers.
Hold initial discussions on potential security issues on the
private PPMC list. When acknowledged that it's an valid
security
issue, create a JIRA issue with special security field marked.
As soon as appropriate (for example, when the impact is
understood
and/or there is a resolution and fix developed), open the issue
and discussion to the river-dev list.
When we create such a field, it will become a default field when
people
enter an issue. Any person can therefore mark (upon entering the
issue)
an issue as a 'security issue'. In that case *no* mail will be sent to
the river-commit mailing list, I expect though that the component
owner
(which we don't have) or otherwise the project owner(s) will get a
posting (this has to be tested).
That person is responsible for bringing it in the private mailing
list.
As long as an issue stays marked as 'security issue' it stays
hidden for
all except the committers. The only way to get it visible is to
mark it
as no longer being a 'security issue' but that doesn't seem right. Do
you envision this as a problem?
--
Mark
