subject:"\[Wikitech\-l\] Proposal\: Add security researchers to CREDITS file \& \[\[Special\:Version\/credits\]\]"

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

2018-05-01 Thread bawolff

The reason I don't want them in the same category is, that:
* I see them as a totally different type of contribution. I think a
security reporter has more in common with a translator than a code
contributor
* The existing credits section is maintained by script based on git
log. The security reporters list will probably have to be hand
maintained

I think the biggest good that came out of eliminating the "developers"
vs "patch contributors" is that the definition of the two groups were
unclear (in the post-svn era. In SVN it was very clear), thus
potentially causing hurt feeling over who deserves to be in which one.
With security reporters, we don't have to worry about that.

Although its possible their could be fighting over what's a valid
security report if we don't define it carefully (An XSS is obviouly a
security report. But there's lots of borderline stuff that gets
reported. Probably the metric should be - do we take action or not
based on the report).

--
Brian

p.s. After posting my initial email, I found out there is a related
phab ticket at https://phabricator.wikimedia.org/T118131

On Tue, May 1, 2018 at 9:28 PM, Eddie Greiner-Petter
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> A while back (cba03a5777) we gave up dividing that file into
> "Developers" and "Patch contributors" - and imho that was a good
> thing. The only sections in the CREDITS file by now are "Contributors"
> and "Translators", where the latter just holds a link to translatewiki.
>
> I'd (slightly) prefer to just add those who reported security issues
> to the "Contributors" section (considering "reported a security issue"
> a contribution) instead of adding a new section - technically someone
> reporting a security issue with a patch attached would be both a
> "Vulnerability Reporter" and a "Contributor", which just seems
> confusing. Besides from bikeshedding about that, I totally agree with
> your proposal.
>
> - --
> Eddie
>
> On 01.05.2018 20:34, Brian Wolff wrote:
>> Hi everyone,
>>
>> Currently we only credit people who report security vulnerabilities
>> at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks
>> (which basically nobody reads or knows exists) and sometimes in the
>> commit message and release announcements. Given such people are
>> instrumental in keeping MediaWiki secure, I think we should also
>> credit them in the CREDITS file. I propose adding another section
>> to the file - "Vulnerability Reporters", listing the names of
>> everyone who has reported a security vulnerability in either
>> MediaWiki or a bundled extension.
>>
>> Thoughts?
>>
>> -- Brian ___ Wikitech-l
>> mailing list Wikitech-l@lists.wikimedia.org
>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz
> mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji
> qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A
> ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B
> EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ
> dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP
> p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe
> hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY
> POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL
> tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO
> poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r
> e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg=
> =0KkP
> -END PGP SIGNATURE-
>
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

2018-05-01 Thread Eddie Greiner-Petter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

A while back (cba03a5777) we gave up dividing that file into
"Developers" and "Patch contributors" - and imho that was a good
thing. The only sections in the CREDITS file by now are "Contributors"
and "Translators", where the latter just holds a link to translatewiki.

I'd (slightly) prefer to just add those who reported security issues
to the "Contributors" section (considering "reported a security issue"
a contribution) instead of adding a new section - technically someone
reporting a security issue with a patch attached would be both a
"Vulnerability Reporter" and a "Contributor", which just seems
confusing. Besides from bikeshedding about that, I totally agree with
your proposal.

- -- 
Eddie

On 01.05.2018 20:34, Brian Wolff wrote:
> Hi everyone,
> 
> Currently we only credit people who report security vulnerabilities
> at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks
> (which basically nobody reads or knows exists) and sometimes in the
> commit message and release announcements. Given such people are
> instrumental in keeping MediaWiki secure, I think we should also
> credit them in the CREDITS file. I propose adding another section
> to the file - "Vulnerability Reporters", listing the names of
> everyone who has reported a security vulnerability in either
> MediaWiki or a bundled extension.
> 
> Thoughts?
> 
> -- Brian ___ Wikitech-l
> mailing list Wikitech-l@lists.wikimedia.org 
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> 
-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz
mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji
qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A
ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B
EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ
dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP
p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe
hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY
POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL
tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO
poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r
e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg=
=0KkP
-END PGP SIGNATURE-

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

2018-05-01 Thread zppix e

Good ideas, side note: I'm fairly certain the Credits special page just
pulls from CREDITS file.

Thanks,
Zppix
Volunteer Developer for WMF
Volunteer Support for Mozilla
www.enwp.org/User:Zppix


On Tue, May 1, 2018 at 3:34 PM, Brian Wolff  wrote:

> Hi everyone,
>
> Currently we only credit people who report security vulnerabilities at
> https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which
> basically nobody reads or knows exists) and sometimes in the commit message
> and release announcements. Given such people are instrumental in keeping
> MediaWiki secure, I think we should also credit them in the CREDITS file. I
> propose adding another section to the file - "Vulnerability Reporters",
> listing the names of everyone who has reported a security vulnerability in
> either MediaWiki or a bundled extension.
>
> Thoughts?
>
> --
> Brian
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

2018-05-01 Thread Brian Wolff

Hi everyone,

Currently we only credit people who report security vulnerabilities at
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which
basically nobody reads or knows exists) and sometimes in the commit message
and release announcements. Given such people are instrumental in keeping
MediaWiki secure, I think we should also credit them in the CREDITS file. I
propose adding another section to the file - "Vulnerability Reporters",
listing the names of everyone who has reported a security vulnerability in
either MediaWiki or a bundled extension.

Thoughts?

--
Brian
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

[Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]

4 matches

Site Navigation

Mail list logo

Footer information