Could someone(you) start the security team and recruit members, monitor/track tickets, publish this information somewhere and send notifications? I am sure a piece of software could be created to hook up to the trac tickets rss? and have ways to mark tickets as a security issue and automatically send notifications to a mailing list people can sign up for when they are fixed.
- Jon On Wed, May 14, 2008 at 5:05 AM, Ian P. Christian <[EMAIL PROTECTED]> wrote: > > Recently, some idiot has blogged in a negative way about how the symfony > team handles security issues [1]. If the poster spent more time > developing, and less time talking nonsense on IRC, maybe there wuold be > less to complain about.... Anyway, the correct place to to discuss this > kind of thing is the list, so.... here goes! > > Personally, I think it's important users know about security issues as > soon at they happen. It's of my opinion that keeping security issues > 'low key' does nothing by potentially hurt users, and loose trust. This > topic brings with it a wide range of opinions though, and handling > security issues in the software world isn't an easy task. > > I would like to suggest that a security team is put together, where > issues can be discussed in full by core/trusted developers - and offical > advisories for any security related issues (regardless of severity) are > written and published. > > I suggest that clear links are made from the front page of the site, and > the ticket creation page which link to a page explaining how security > issues are handled. I think an email address for the security team > should be placed on this page, and someone should get back to the > reporter of the issue as soon as possible to let them know their issue > will be dealt with. > > I don't think there's any shame in publishing a security history on the > site, I feel it's important to be very up front about these issues. Not > only so users can see issues and how they were delt with, but so that > current and future developers can read and learn from previous mistakes. > > So, I urge you all to voice your opinions on this - maybe I'm just > making a point over nothing, feel free to voice that opinion too, I'm > thick skinned :) > > > > [1] > > http://pookey.co.uk/blog/archives/50-Symfony-security-concerns-and-other-issues.html > > > > -- Jonathan Wage http://www.jwage.com http://www.centresource.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en -~----------~----~----~----~------~----~------~--~---
