Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: Phil D. <ph...@lo...> - 2014-03-13 07:09:33
|
We already have a bug tracker. The snag with it though is that it is unmaintained - I can't remember who put their hand up keen to administer it, but they have not been able to keep it up. I must say I was sceptical at the time for just this reason and stated up front that I did not want to maintain it myself. However, it is still there is you are keen to pick it up and give it a birthday. http://www.weberp.org/bugs What you say is good sense. However, I still feel that this is what the developers mailing list is for. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 15:27, icedlava wrote: > Hi Phil, > > Perhaps there could be a security reporting process that attempts to > keep any vulnerabilities out of public eye until they are assessed and > fixed and patch posted, depending on the severity. > > Some security issues are not as severe as others and would not hurt > being publicly posted. Others might need urgent attention and fixing > prior to publishing any info or hints to it, to ensure websites are not > taken advantage of prior to the fix being applied. > > Example : > > 1. All security vulnerability posts to go to an email > sec...@we... that is received to a closed list, viewable only to > a list of developers. There would hopefully be at least one person that > could receive /read it immediately and assess the severity, or notify > someone who could assess it if they didn't know. > Most bug trackers also have the ability to post directly and not be > viewed publicly - e.g. only viewable to a permission enabled list of > people . > > 2. This email and/or bug tracker link could be publicised on weberp.org > along with how security issues are handled. > > 3. If it is not a severe vulnerability, it could be publicly published > to the list/forum/bug tracker for discussion or fixing > > 4. If it is severe and needs discussion, it could be posted to a > 'closed' forum or bug tracker item that is open to all approved > developers. They could address the issue, provide a patch. > Once the patch is provided, it could be published openly. > > 5. Where a report is published openly before it becomes or is known as a > severe security issue (e.g. list or forum), then hopefully before any > key information is provided about it, discussion can be moved to the > closed list/bug tracker for processing as in 3. This problem could be > overcome by having a dedicated bug tracker that is always promoted to be > used for any issue, as the bug could be hidden to the public along with > any existing discussion (in most trackers) as soon as it becomes evident > it's a security related one. > > Just a rough idea. > > Cheers, > > > > > On 13 Mar 2014, at 9:46, Phil Daintree wrote: > >> There is no secrecy here. >> >> If there is some issue that you are aware of then obviously the meat >> of what the issue is about needs to be contained in the message to the >> list. It is insufficient to head up a message major vulnerability >> referring to private discussions - which I am unaware of BTW - and >> suggest there is some major problem without any substance in the mail >> of what the issue is! Of course not many people would post such FUD >> this way. >> >> I prefer to have any issues completely on the (developers) table so we >> can discuss them and come up with a solution if necessary quickly and >> advise the users ASAP. We are an open source project and well ... >> open. I do however, try to keep these forums/lists free of >> FUD/nonsense. >> >> I am aware of the $AllowAnyone issue which gave access to the GL Trial >> balance - which is now fixed and I have published a note to advise >> users. >> >> If there are any incorrect statements in messages to the list or the >> forum then I will try to remove them to avoid misleading anyone. >> Although this is not always easy. >> >> >> Phil >> >> Ph: +64 (0)275 567890 >> Skype: daintree >> http://www.logicworks.co.nz >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
