Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: Phil D. <ph...@lo...> - 2014-03-13 08:10:33
|
Yes that's how the thinking went - if we really want feedback on bugs then we need to make it easy to report - so the forum was the place. I really do believe if there are issues then the developers list is where they belong unless we have a full time administrator working on the bug tracker. I am thinking of ditching the bug tracker unless anyone has violent objections or wishes to take it on - not sure how I got talked into putting it up! Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 20:35, icedlava wrote: > I believe a bug tracker works if all bugs are directed there otherwise > it's just overhead. I do have an account there but as there is a bugs > forum it seems redundant (and maybe why the tracker is not used more - > doesn't seem to be easy to find the tracker either). > >> it is still there is you are keen to pick it up and give it a birthday > If there is one supported place for tracking bugs and communication on > them, I'd be happy to maintain the bug tracker or lend a hand to whoever > is doing it now (even tho i'm definitely not keen on Mantis). Just say > the word. > > My point about a security email address (directing to a private list or > shared mail address) was because sometimes a person just want to quickly > report something and know it's not going public. > > I agree with you that the developers mailing list is very useful and > prefer it to forums. However it's public, and therefore does not fit the > requirements for private reporting of security vulnerabilities. Once > information is published there it remains public and searchable. > > Thanks for the feedback. > > cheers > > > > > > > On 13 Mar 2014, at 17:39, Phil Daintree wrote: > >> We already have a bug tracker. >> >> The snag with it though is that it is unmaintained - I can't remember >> who put their hand up keen to administer it, but they have not been >> able >> to keep it up. I must say I was sceptical at the time for just this >> reason and stated up front that I did not want to maintain it myself. >> However, it is still there is you are keen to pick it up and give it a >> birthday. >> >> http://www.weberp.org/bugs >> >> What you say is good sense. However, I still feel that this is what >> the >> developers mailing list is for. >> >> Phil >> >> Phil Daintree >> Logic Works Ltd - +64 (0)275 567890 >> http://www.logicworks.co.nz >> >> On 13/03/14 15:27, icedlava wrote: >>> Hi Phil, >>> >>> Perhaps there could be a security reporting process that attempts to >>> keep any vulnerabilities out of public eye until they are assessed >>> and >>> fixed and patch posted, depending on the severity. >>> >>> Some security issues are not as severe as others and would not hurt >>> being publicly posted. Others might need urgent attention and fixing >>> prior to publishing any info or hints to it, to ensure websites are >>> not >>> taken advantage of prior to the fix being applied. >>> >>> Example : >>> >>> 1. All security vulnerability posts to go to an email >>> sec...@we... that is received to a closed list, viewable only >>> to >>> a list of developers. There would hopefully be at least one person >>> that >>> could receive /read it immediately and assess the severity, or notify >>> someone who could assess it if they didn't know. >>> Most bug trackers also have the ability to post directly and not be >>> viewed publicly - e.g. only viewable to a permission enabled list of >>> people . >>> >>> 2. This email and/or bug tracker link could be publicised on >>> weberp.org >>> along with how security issues are handled. >>> >>> 3. If it is not a severe vulnerability, it could be publicly >>> published >>> to the list/forum/bug tracker for discussion or fixing >>> >>> 4. If it is severe and needs discussion, it could be posted to a >>> 'closed' forum or bug tracker item that is open to all approved >>> developers. They could address the issue, provide a patch. >>> Once the patch is provided, it could be published openly. >>> >>> 5. Where a report is published openly before it becomes or is known >>> as a >>> severe security issue (e.g. list or forum), then hopefully before any >>> key information is provided about it, discussion can be moved to the >>> closed list/bug tracker for processing as in 3. This problem could be >>> overcome by having a dedicated bug tracker that is always promoted to >>> be >>> used for any issue, as the bug could be hidden to the public along >>> with >>> any existing discussion (in most trackers) as soon as it becomes >>> evident >>> it's a security related one. >>> >>> Just a rough idea. >>> >>> Cheers, >>> >>> >>> >>> >>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>> >>>> There is no secrecy here. >>>> >>>> If there is some issue that you are aware of then obviously the meat >>>> of what the issue is about needs to be contained in the message to >>>> the >>>> list. It is insufficient to head up a message major vulnerability >>>> referring to private discussions - which I am unaware of BTW - and >>>> suggest there is some major problem without any substance in the >>>> mail >>>> of what the issue is! Of course not many people would post such FUD >>>> this way. >>>> >>>> I prefer to have any issues completely on the (developers) table so >>>> we >>>> can discuss them and come up with a solution if necessary quickly >>>> and >>>> advise the users ASAP. We are an open source project and well ... >>>> open. I do however, try to keep these forums/lists free of >>>> FUD/nonsense. >>>> >>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>> Trial >>>> balance - which is now fixed and I have published a note to advise >>>> users. >>>> >>>> If there are any incorrect statements in messages to the list or the >>>> forum then I will try to remove them to avoid misleading anyone. >>>> Although this is not always easy. >>>> >>>> >>>> Phil >>>> >>>> Ph: +64 (0)275 567890 >>>> Skype: daintree >>>> http://www.logicworks.co.nz >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
