Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]
The reason I don't want them in the same category is, that: * I see them as a totally different type of contribution. I think a security reporter has more in common with a translator than a code contributor * The existing credits section is maintained by script based on git log. The security reporters list will probably have to be hand maintained I think the biggest good that came out of eliminating the "developers" vs "patch contributors" is that the definition of the two groups were unclear (in the post-svn era. In SVN it was very clear), thus potentially causing hurt feeling over who deserves to be in which one. With security reporters, we don't have to worry about that. Although its possible their could be fighting over what's a valid security report if we don't define it carefully (An XSS is obviouly a security report. But there's lots of borderline stuff that gets reported. Probably the metric should be - do we take action or not based on the report). -- Brian p.s. After posting my initial email, I found out there is a related phab ticket at https://phabricator.wikimedia.org/T118131 On Tue, May 1, 2018 at 9:28 PM, Eddie Greiner-Petterwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > A while back (cba03a5777) we gave up dividing that file into > "Developers" and "Patch contributors" - and imho that was a good > thing. The only sections in the CREDITS file by now are "Contributors" > and "Translators", where the latter just holds a link to translatewiki. > > I'd (slightly) prefer to just add those who reported security issues > to the "Contributors" section (considering "reported a security issue" > a contribution) instead of adding a new section - technically someone > reporting a security issue with a patch attached would be both a > "Vulnerability Reporter" and a "Contributor", which just seems > confusing. Besides from bikeshedding about that, I totally agree with > your proposal. > > - -- > Eddie > > On 01.05.2018 20:34, Brian Wolff wrote: >> Hi everyone, >> >> Currently we only credit people who report security vulnerabilities >> at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks >> (which basically nobody reads or knows exists) and sometimes in the >> commit message and release announcements. Given such people are >> instrumental in keeping MediaWiki secure, I think we should also >> credit them in the CREDITS file. I propose adding another section >> to the file - "Vulnerability Reporters", listing the names of >> everyone who has reported a security vulnerability in either >> MediaWiki or a bundled extension. >> >> Thoughts? >> >> -- Brian ___ Wikitech-l >> mailing list Wikitech-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz > mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji > qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A > ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B > EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ > dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP > p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe > hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY > POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL > tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO > poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r > e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg= > =0KkP > -END PGP SIGNATURE- > > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A while back (cba03a5777) we gave up dividing that file into "Developers" and "Patch contributors" - and imho that was a good thing. The only sections in the CREDITS file by now are "Contributors" and "Translators", where the latter just holds a link to translatewiki. I'd (slightly) prefer to just add those who reported security issues to the "Contributors" section (considering "reported a security issue" a contribution) instead of adding a new section - technically someone reporting a security issue with a patch attached would be both a "Vulnerability Reporter" and a "Contributor", which just seems confusing. Besides from bikeshedding about that, I totally agree with your proposal. - -- Eddie On 01.05.2018 20:34, Brian Wolff wrote: > Hi everyone, > > Currently we only credit people who report security vulnerabilities > at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks > (which basically nobody reads or knows exists) and sometimes in the > commit message and release announcements. Given such people are > instrumental in keeping MediaWiki secure, I think we should also > credit them in the CREDITS file. I propose adding another section > to the file - "Vulnerability Reporters", listing the names of > everyone who has reported a security vulnerability in either > MediaWiki or a bundled extension. > > Thoughts? > > -- Brian ___ Wikitech-l > mailing list Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg= =0KkP -END PGP SIGNATURE- ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]
Good ideas, side note: I'm fairly certain the Credits special page just pulls from CREDITS file. Thanks, Zppix Volunteer Developer for WMF Volunteer Support for Mozilla www.enwp.org/User:Zppix On Tue, May 1, 2018 at 3:34 PM, Brian Wolffwrote: > Hi everyone, > > Currently we only credit people who report security vulnerabilities at > https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which > basically nobody reads or knows exists) and sometimes in the commit message > and release announcements. Given such people are instrumental in keeping > MediaWiki secure, I think we should also credit them in the CREDITS file. I > propose adding another section to the file - "Vulnerability Reporters", > listing the names of everyone who has reported a security vulnerability in > either MediaWiki or a bundled extension. > > Thoughts? > > -- > Brian > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Proposal: Add security researchers to CREDITS file & [[Special:Version/credits]]
Hi everyone, Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension. Thoughts? -- Brian ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l