The reason I don't want them in the same category is, that: * I see them as a totally different type of contribution. I think a security reporter has more in common with a translator than a code contributor * The existing credits section is maintained by script based on git log. The security reporters list will probably have to be hand maintained
I think the biggest good that came out of eliminating the "developers" vs "patch contributors" is that the definition of the two groups were unclear (in the post-svn era. In SVN it was very clear), thus potentially causing hurt feeling over who deserves to be in which one. With security reporters, we don't have to worry about that. Although its possible their could be fighting over what's a valid security report if we don't define it carefully (An XSS is obviouly a security report. But there's lots of borderline stuff that gets reported. Probably the metric should be - do we take action or not based on the report). -- Brian p.s. After posting my initial email, I found out there is a related phab ticket at https://phabricator.wikimedia.org/T118131 On Tue, May 1, 2018 at 9:28 PM, Eddie Greiner-Petter <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > A while back (cba03a5777) we gave up dividing that file into > "Developers" and "Patch contributors" - and imho that was a good > thing. The only sections in the CREDITS file by now are "Contributors" > and "Translators", where the latter just holds a link to translatewiki. > > I'd (slightly) prefer to just add those who reported security issues > to the "Contributors" section (considering "reported a security issue" > a contribution) instead of adding a new section - technically someone > reporting a security issue with a patch attached would be both a > "Vulnerability Reporter" and a "Contributor", which just seems > confusing. Besides from bikeshedding about that, I totally agree with > your proposal. > > - -- > Eddie > > On 01.05.2018 20:34, Brian Wolff wrote: >> Hi everyone, >> >> Currently we only credit people who report security vulnerabilities >> at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks >> (which basically nobody reads or knows exists) and sometimes in the >> commit message and release announcements. Given such people are >> instrumental in keeping MediaWiki secure, I think we should also >> credit them in the CREDITS file. I propose adding another section >> to the file - "Vulnerability Reporters", listing the names of >> everyone who has reported a security vulnerability in either >> MediaWiki or a bundled extension. >> >> Thoughts? >> >> -- Brian _______________________________________________ Wikitech-l >> mailing list [email protected] >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >> > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz > mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji > qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A > ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B > EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ > dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP > p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe > hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY > POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL > tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO > poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r > e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg= > =0KkP > -----END PGP SIGNATURE----- > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
