[Phpwebsite-developers] Security Alerts/Update Notification

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ok none of his is set in stone but lots of things talked about here have
been on the drawing board for a while.  I have posted before on some of
theses subjects so see old email for back info (module master list/runnin=
g
phpws master list).

First I would not like to see a user forced to list his site on the list
just to get security/update advisory=92s.  If someone does not want to li=
st
there site they should have the right too.  Basically the who is running
phpWebSite list should remain separate.

Now to the user part of update/security. We have had plains to build a
master list for both users and developers.  This list will allow anyone t=
o
both see/browse modules and to get usefully info (latest version/home
page/mod developer contact, etc).  This would also be the place where
developers would make releases/security advisory=92s.  Any developers wou=
ld
have there module/themes/other associated with there account on phpws and
could be able to update there info on the fly.  The module would then do
the work to send out updates/advisory=92s.  Boost would also work with th=
e
backend of this to allow users on the admin side of there site the same
flexibility.

I=92m going to play devils advocate on the privileged user list for secur=
ity
advisories.  There is no way we can control who sees this.  Some one bad
could just as easily get this information and use it agents every one.=20
Not telling every one at once will always have this problem.  I do howeve=
r
thank you are right about users having time to get their sites updated an=
d
secure and not getting blindsided be a cracker.  I would propose this.  W=
e
have an advisory go out lets say 24 hours ahead of time to simply
announcing there will be a security update that should be applied.  It
will not contain any useful info but will be a reminder to people that
they need to do an update in a day. A full advisory=92s would follow on t=
he
release of the patch/upgrade.

Now on to distributing phpWebSite updates and advisory=92s. I propose tha=
t
we use mailman (mailing lists) for this part.  It means we do not have to
worry about bounce stuff or any other part of email.  Mailman will do our
work but will receive its info from the module on the master list system.=
=20
These lists will not be available to receive any email from others.=20
Second it will give users a more flexible way of receiving info.  They ca=
n
get digest, each email, ...  There would be two lists the updates list an=
d
the security list.

Last but not least boost.  Boost will always be a more active client.=20
Matt can talk more on this subject but boost will have the ability to be =
a
true =93update=94 client.

I would like to add a small side note on licensing of this module.  This
is not very important now but may need to be discussed.  If this is
licensed under the GPL commercial/non GPL module will not be able to take
advantage of this system.  If it is LGPL they will be able to user it.
This only means more use if it is LGPL so no one will really notice.  It
would also insure phpWebSite user that are using commercial software will
stay secure/up2date too.  Remember security is only as good as your
weakest link!

--=20
Jeremy Agee
phpWebSite Development Team (http://phpwebsite.appstate.edu)
Appalachian State University
SF.net id: jagee or 94756