Re: [QGIS-Developer] Reporting security related issues ?

[Martin Dobias]

Hi

I would also like to join the group...

Thanks
Martin

On Fri, Feb 14, 2020, 00:29 Nyall Dawson  wrote:

> /me Raises hand also
>
> Nyall
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Nyall Dawson]

/me Raises hand also

Nyall
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Larry Shaffer]

Hi Richard, All,

I would like to be added as well.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


On Thu, Feb 13, 2020 at 5:23 AM Richard Duivenvoorde 
wrote:

> On 13/02/2020 13.08, security minded wrote:
> > Hello,
> >
> > I've tried to email secur...@qgis.org  but got
> > an error message: "We're writing to let you know that the group you
> > tried to contact (security) may not exist, or you may not have
> > permission to post messages to the group"
> >
>
> Ouch, sorry, me bad.
>
> Google settings are hard for me..
>
> Can you please try again?
>
> Regards,
>
> Richard Duivenvoorde
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Richard Duivenvoorde]

On 13/02/2020 13.08, security minded wrote:
> Hello,
> 
> I've tried to email secur...@qgis.org  but got
> an error message: "We're writing to let you know that the group you
> tried to contact (security) may not exist, or you may not have
> permission to post messages to the group"
> 

Ouch, sorry, me bad.

Google settings are hard for me..

Can you please try again?

Regards,

Richard Duivenvoorde
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[security minded]

Hello,

I've tried to email secur...@qgis.org but got an error message: "We're
writing to let you know that the group you tried to contact (security) may
not exist, or you may not have permission to post messages to the group"

Le mer. 12 févr. 2020 à 17:10, Richard Duivenvoorde  a
écrit :

> On 12/02/2020 17.01, Matthias Kuhn wrote:
> > Thanks Richard,
> >
> > I'm interested as well in being added.
> >
> > Will all people in the group be added as CC? It would be good if someone
> > asks a question back everyone else gets a notification as well (to avoid
> > asking the same question many times - or nobody reacting at all because
> > everyone assumes someone else has taken action already).
>
> Ok, added
> It's a Google mail group, not sure how to set such stuff...
> IF the mailer cc's to secur...@qgis.org everybody sees that, else..
> don't think so.
> Regards,
> Richard
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Paul Blottiere]

Hi Richard,

I'd like to be added to the list too please :).

Thanks!



Le jeu. 13 févr. 2020 à 09:48, Matthias Kuhn  a écrit :

> On 2/13/20 9:45 AM, Richard Duivenvoorde wrote:
> > On 13/02/2020 09.38, Matthias Kuhn wrote:
> >
> >> Maybe others are better than me in remembering such workflows, but I
> >> will forget that for sure.
> > Which 'workflow'?
> >
> > - somebody finds an issue, and sents an email to secur...@qgis.org
> > - everybody in the mail group sees this and can respond (cc to
> > secur...@qgis.org)
>
> This part of the workflow requires me to realize that this came in
> through an alias and was not directly addressed to me and to remember to
> add the CC to secur...@qgis.org (an address which I have to remember or
> find at this point in time).
>
> But if I'm the only one who is too scattered for this, let's ignore it :)
>
> Matthias
>
> > - somebody picks this up
> >
> > No other services needed?
> >
> > Regards,
> >
> > Richard
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer



-- 
*Paul Blottiere*

Lead Software Engineer
*https://hytech-imaging.fr/ *

QGIS Core Committer
*https://pblottiere.github.io/* 
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Matthias Kuhn]

On 2/13/20 9:45 AM, Richard Duivenvoorde wrote:

On 13/02/2020 09.38, Matthias Kuhn wrote:


Maybe others are better than me in remembering such workflows, but I
will forget that for sure.

Which 'workflow'?

- somebody finds an issue, and sents an email to secur...@qgis.org
- everybody in the mail group sees this and can respond (cc to
secur...@qgis.org)


This part of the workflow requires me to realize that this came in 
through an alias and was not directly addressed to me and to remember to 
add the CC to secur...@qgis.org (an address which I have to remember or 
find at this point in time).


But if I'm the only one who is too scattered for this, let's ignore it :)

Matthias


- somebody picks this up

No other services needed?

Regards,

Richard

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Richard Duivenvoorde]

On 13/02/2020 09.38, Matthias Kuhn wrote:

> Maybe others are better than me in remembering such workflows, but I
> will forget that for sure.

Which 'workflow'?

- somebody finds an issue, and sents an email to secur...@qgis.org
- everybody in the mail group sees this and can respond (cc to
secur...@qgis.org)
- somebody picks this up

No other services needed?

Regards,

Richard
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Matthias Kuhn]

On 2/12/20 5:09 PM, Richard Duivenvoorde wrote:

On 12/02/2020 17.01, Matthias Kuhn wrote:

Thanks Richard,

I'm interested as well in being added.

Will all people in the group be added as CC? It would be good if someone
asks a question back everyone else gets a notification as well (to avoid
asking the same question many times - or nobody reacting at all because
everyone assumes someone else has taken action already).

Ok, added
It's a Google mail group, not sure how to set such stuff...
IF the mailer cc's to secur...@qgis.org everybody sees that, else..
don't think so.
Regards,
Richard


Maybe others are better than me in remembering such workflows, but I 
will forget that for sure.


What would be involved to setup the infrastructure as proposed by Jukka?

Matthias

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Luigi Pirelli]

Hi Richard,

please may you add me too?

tnx

Luigi Pirelli

**
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Book: Mastering QGIS3 - 3rd Edition

* Hire a team: http://www.qcooperative.net
**


On Wed, 12 Feb 2020 at 13:19, Richard Duivenvoorde 
wrote:

> FYI: I've just created an email(group) address for this:
>
> secur...@qgis.org
>
> Emails to that address will be forwarded to PSC members and members of
> admin-group.
>
> If individuals/core-members want to be added, please let me know so I
> can add you to that group.
>
> Regards,
>
> Richard Duivenvoorde
>
> On 12/02/2020 09.00, Paolo Cavallini wrote:
> > Hi,
> > generally here. If you think it is a grave vulnerability you can send it
> > privately to any PSC member or major QGIS developer (you can check on
> > GitHub for recent activity).
> > Thanks!
> >
> > Il 11/02/20 19:56, security minded ha scritto:
> >> Hello,
> >>
> >> What is the best way to report security issues affecting QGIS ?
> >>
> >> Thanks
> >>
> >> OSSSecurityMinded
> >>
> >> ___
> >> QGIS-Developer mailing list
> >> QGIS-Developer@lists.osgeo.org
> >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>
> >
>
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Richard Duivenvoorde]

On 12/02/2020 17.01, Matthias Kuhn wrote:
> Thanks Richard,
> 
> I'm interested as well in being added.
> 
> Will all people in the group be added as CC? It would be good if someone
> asks a question back everyone else gets a notification as well (to avoid
> asking the same question many times - or nobody reacting at all because
> everyone assumes someone else has taken action already).

Ok, added
It's a Google mail group, not sure how to set such stuff...
IF the mailer cc's to secur...@qgis.org everybody sees that, else..
don't think so.
Regards,
Richard
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Matthias Kuhn]

Thanks Richard,

I'm interested as well in being added.

Will all people in the group be added as CC? It would be good if someone 
asks a question back everyone else gets a notification as well (to avoid 
asking the same question many times - or nobody reacting at all because 
everyone assumes someone else has taken action already).


Bests

Matthias

On 2/12/20 1:19 PM, Richard Duivenvoorde wrote:

FYI: I've just created an email(group) address for this:

secur...@qgis.org

Emails to that address will be forwarded to PSC members and members of
admin-group.

If individuals/core-members want to be added, please let me know so I
can add you to that group.

Regards,

Richard Duivenvoorde

On 12/02/2020 09.00, Paolo Cavallini wrote:

Hi,
generally here. If you think it is a grave vulnerability you can send it
privately to any PSC member or major QGIS developer (you can check on
GitHub for recent activity).
Thanks!

Il 11/02/20 19:56, security minded ha scritto:

Hello,

What is the best way to report security issues affecting QGIS ?

Thanks

OSSSecurityMinded

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[David Marteau]

Hi Richard,

I would like to be added to the list, please .

Thank you

David.


Le 12/02/2020 à 13:19, Richard Duivenvoorde a écrit :

FYI: I've just created an email(group) address for this:

secur...@qgis.org

Emails to that address will be forwarded to PSC members and members of
admin-group.

If individuals/core-members want to be added, please let me know so I
can add you to that group.

Regards,

Richard Duivenvoorde

On 12/02/2020 09.00, Paolo Cavallini wrote:

Hi,
generally here. If you think it is a grave vulnerability you can send it
privately to any PSC member or major QGIS developer (you can check on
GitHub for recent activity).
Thanks!

Il 11/02/20 19:56, security minded ha scritto:

Hello,

What is the best way to report security issues affecting QGIS ?

Thanks

OSSSecurityMinded

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer


___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

--

David Marteau
Responsable Infrastructure
www.3liz.com 

*Tel*. 06 63 02 89 83
*Bureau*
31, rue de l'Argenterie
34000 Montpellier
*Siège social*
73, allée Kleber
Boulevard de Strasbourg
34000 Montpellier

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Régis Haubourg]

Me too!

Le mer. 12 févr. 2020 à 14:34, Alessandro Pasotti  a
écrit :

>
>
> On Wed, Feb 12, 2020 at 1:19 PM Richard Duivenvoorde 
> wrote:
>
>> FYI: I've just created an email(group) address for this:
>>
>> secur...@qgis.org
>>
>> Emails to that address will be forwarded to PSC members and members of
>> admin-group.
>>
>> If individuals/core-members want to be added, please let me know so I
>> can add you to that group.
>>
>
>
> me too please.
>
> --
> Alessandro Pasotti
> w3:   www.itopen.it
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Nathan Woodrow]

Could I get added to that one please Richard. Thanks.

Nathan.

On Wed., 12 Feb. 2020, 10:19 pm Richard Duivenvoorde, 
wrote:

> FYI: I've just created an email(group) address for this:
>
> secur...@qgis.org
>
> Emails to that address will be forwarded to PSC members and members of
> admin-group.
>
> If individuals/core-members want to be added, please let me know so I
> can add you to that group.
>
> Regards,
>
> Richard Duivenvoorde
>
> On 12/02/2020 09.00, Paolo Cavallini wrote:
> > Hi,
> > generally here. If you think it is a grave vulnerability you can send it
> > privately to any PSC member or major QGIS developer (you can check on
> > GitHub for recent activity).
> > Thanks!
> >
> > Il 11/02/20 19:56, security minded ha scritto:
> >> Hello,
> >>
> >> What is the best way to report security issues affecting QGIS ?
> >>
> >> Thanks
> >>
> >> OSSSecurityMinded
> >>
> >> ___
> >> QGIS-Developer mailing list
> >> QGIS-Developer@lists.osgeo.org
> >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>
> >
>
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Richard Duivenvoorde]

FYI: I've just created an email(group) address for this:

secur...@qgis.org

Emails to that address will be forwarded to PSC members and members of
admin-group.

If individuals/core-members want to be added, please let me know so I
can add you to that group.

Regards,

Richard Duivenvoorde

On 12/02/2020 09.00, Paolo Cavallini wrote:
> Hi,
> generally here. If you think it is a grave vulnerability you can send it
> privately to any PSC member or major QGIS developer (you can check on
> GitHub for recent activity).
> Thanks!
> 
> Il 11/02/20 19:56, security minded ha scritto:
>> Hello,
>>
>> What is the best way to report security issues affecting QGIS ?
>>
>> Thanks
>>
>> OSSSecurityMinded
>>
>> ___
>> QGIS-Developer mailing list
>> QGIS-Developer@lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
> 

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[jratike80]

Hi,

In the Geoserver project we have a dedicated, closed, moderated and not
archived mailing list for reporting vulnerabilities
https://lists.osgeo.org/mailman/listinfo/geoserver-security.

We advice users to use just that mailing list in user documentation
http://geoserver.org/comm/ and in the issue tracker
https://osgeo-org.atlassian.net/projects/GEOS/summary

PSC members are all members on the list and also moderators. Only mails
which are accepted by a moderator are sent to recipients. About 80 percent
of mails are either spam or unknown people are trying to get accepted to the
security list and moderator just deletes those mails. The rest 20% has been
good stuff and in many cases absolutely something that we do not want to see
on the open mailing lists or in the issue tracker.

-Jukka Rahkonen-
 

Sandro Santilli-4 wrote
> Sounds like a treasure hunt. How about writing a few words on
> https://qgis.org/en/site/getinvolved/development/bugreporting.html ?
> Maybe also defining an email alias @qgis.org to receive those
> reports..
> 
> --strk;
> ___
> QGIS-Developer mailing list

> QGIS-Developer@.osgeo

> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer





--
Sent from: http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Sandro Santilli]

On Wed, Feb 12, 2020 at 09:00:33AM +0100, Paolo Cavallini wrote:
> Hi,
> generally here. If you think it is a grave vulnerability you can send it
> privately to any PSC member or major QGIS developer (you can check on
> GitHub for recent activity).

Sounds like a treasure hunt. How about writing a few words on
https://qgis.org/en/site/getinvolved/development/bugreporting.html ?
Maybe also defining an email alias @qgis.org to receive those
reports..

--strk;
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Reporting security related issues ?

[Paolo Cavallini]

Hi,
generally here. If you think it is a grave vulnerability you can send it
privately to any PSC member or major QGIS developer (you can check on
GitHub for recent activity).
Thanks!

Il 11/02/20 19:56, security minded ha scritto:
> Hello,
> 
> What is the best way to report security issues affecting QGIS ?
> 
> Thanks
> 
> OSSSecurityMinded
> 
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> 

-- 
Paolo Cavallini - www.faunalia.eu
QGIS.ORG Chair:
http://planet.qgis.org/planet/user/28/tag/qgis%20board/
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer