Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: icedlava <ice...@gm...> - 2014-03-13 07:35:51
|
I believe a bug tracker works if all bugs are directed there otherwise it's just overhead. I do have an account there but as there is a bugs forum it seems redundant (and maybe why the tracker is not used more - doesn't seem to be easy to find the tracker either). > it is still there is you are keen to pick it up and give it a birthday If there is one supported place for tracking bugs and communication on them, I'd be happy to maintain the bug tracker or lend a hand to whoever is doing it now (even tho i'm definitely not keen on Mantis). Just say the word. My point about a security email address (directing to a private list or shared mail address) was because sometimes a person just want to quickly report something and know it's not going public. I agree with you that the developers mailing list is very useful and prefer it to forums. However it's public, and therefore does not fit the requirements for private reporting of security vulnerabilities. Once information is published there it remains public and searchable. Thanks for the feedback. cheers On 13 Mar 2014, at 17:39, Phil Daintree wrote: > We already have a bug tracker. > > The snag with it though is that it is unmaintained - I can't remember > who put their hand up keen to administer it, but they have not been > able > to keep it up. I must say I was sceptical at the time for just this > reason and stated up front that I did not want to maintain it myself. > However, it is still there is you are keen to pick it up and give it a > birthday. > > http://www.weberp.org/bugs > > What you say is good sense. However, I still feel that this is what > the > developers mailing list is for. > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 15:27, icedlava wrote: >> Hi Phil, >> >> Perhaps there could be a security reporting process that attempts to >> keep any vulnerabilities out of public eye until they are assessed >> and >> fixed and patch posted, depending on the severity. >> >> Some security issues are not as severe as others and would not hurt >> being publicly posted. Others might need urgent attention and fixing >> prior to publishing any info or hints to it, to ensure websites are >> not >> taken advantage of prior to the fix being applied. >> >> Example : >> >> 1. All security vulnerability posts to go to an email >> sec...@we... that is received to a closed list, viewable only >> to >> a list of developers. There would hopefully be at least one person >> that >> could receive /read it immediately and assess the severity, or notify >> someone who could assess it if they didn't know. >> Most bug trackers also have the ability to post directly and not be >> viewed publicly - e.g. only viewable to a permission enabled list of >> people . >> >> 2. This email and/or bug tracker link could be publicised on >> weberp.org >> along with how security issues are handled. >> >> 3. If it is not a severe vulnerability, it could be publicly >> published >> to the list/forum/bug tracker for discussion or fixing >> >> 4. If it is severe and needs discussion, it could be posted to a >> 'closed' forum or bug tracker item that is open to all approved >> developers. They could address the issue, provide a patch. >> Once the patch is provided, it could be published openly. >> >> 5. Where a report is published openly before it becomes or is known >> as a >> severe security issue (e.g. list or forum), then hopefully before any >> key information is provided about it, discussion can be moved to the >> closed list/bug tracker for processing as in 3. This problem could be >> overcome by having a dedicated bug tracker that is always promoted to >> be >> used for any issue, as the bug could be hidden to the public along >> with >> any existing discussion (in most trackers) as soon as it becomes >> evident >> it's a security related one. >> >> Just a rough idea. >> >> Cheers, >> >> >> >> >> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >> >>> There is no secrecy here. >>> >>> If there is some issue that you are aware of then obviously the meat >>> of what the issue is about needs to be contained in the message to >>> the >>> list. It is insufficient to head up a message major vulnerability >>> referring to private discussions - which I am unaware of BTW - and >>> suggest there is some major problem without any substance in the >>> mail >>> of what the issue is! Of course not many people would post such FUD >>> this way. >>> >>> I prefer to have any issues completely on the (developers) table so >>> we >>> can discuss them and come up with a solution if necessary quickly >>> and >>> advise the users ASAP. We are an open source project and well ... >>> open. I do however, try to keep these forums/lists free of >>> FUD/nonsense. >>> >>> I am aware of the $AllowAnyone issue which gave access to the GL >>> Trial >>> balance - which is now fixed and I have published a note to advise >>> users. >>> >>> If there are any incorrect statements in messages to the list or the >>> forum then I will try to remove them to avoid misleading anyone. >>> Although this is not always easy. >>> >>> >>> Phil >>> >>> Ph: +64 (0)275 567890 >>> Skype: daintree >>> http://www.logicworks.co.nz >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
