On 23/01/10 14:17 +0100, Cédric Krier wrote: > On 21/01/10 17:15 +0100, Cédric Krier wrote: > > On 17/11/09 11:47 +0100, Mathias Behrle wrote: > > > * Betr.: " [tryton] Re: New mailling lists for dev and security" (Mon, 16 > > > Nov > > > 2009 23:41:38 +0100): > > > > > > > We can not accept everybody on this mailing list because this mailing > > > > list is > > > > for security developers that will fix reported issues and the major > > > > difficulty > > > > is that the information must be kept secret until fix exist and is > > > > applied on > > > > all series. So we must keep the number of people aware as tiny as > > > > possible. > > > > > > So we need to have a possibility for users to put issues on the tracker, > > > that > > > are hidden to the public (and perhaps forwarded to tryton-security). I > > > think, > > > this should be done on issues with type security. > > > > > > BTW: https://bugs.tryton.org/roundup/issue1295 is not of type security > > > for me. > > > > > > > > > And we need indeed better descriptions of the related purposes, as well > > > on the > > > website as on the groups. > > > > > > > > > I have tried an update of schema.py of roundup to have this feature. > > > > So this works like this: > > > > Issue of type 'security' can only be viewed/edited: > > > > - by creator > > - by nosy list > > - by assigned to > > - by user that has the "Security" role > > > > When the issue reaches on of the states 'resolved', 'closed' or 'invalid', > > everybody can view it. > > > > It is the same for message and file. > > > > > > Does this behavior ok? If so I will applied it to the current roundup. > > > > It is applied on roundup. > Please, report any issue with this new configuration. >
I have also changed the CIA detector to not send stats about security issue until this one is 'resolved', 'closed' or 'invalid'. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email: [email protected] Jabber: [email protected] Website: http://www.b2ck.com/ twitter: http://twitter.com/cedrickrier identi.ca: http://identi.ca/cedrickrier
pgpCCYaEwmXe8.pgp
Description: PGP signature
