Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: icedlava <ice...@gm...> - 2014-03-13 08:51:45
|
> Yes that's how the thinking went - if we really want feedback on bugs > then we need to make it easy to report - so the forum was the place. > hehe - in truth i've never really liked forums as I find them a bit cumbersome for tracking things and having to log in to the web. Always preferred mailing lists. Having a web based bug tracker is much the same as a forum but has the benefit that you can track, search, assign, hide, etc each bug as necessarily. i.e. better for management of issues and historical use/looking back for checking. Again, if you do want someone to manage the bug tracker then I'm happy to do it, along with anyone else that wants to volunteer. I like bug trackers a lot. But i'd recommend you put a link to the bug tracker in the forum if you do use it. I agree and think the developer list is great for discussion. The reason this came up though is due to the security reporting process - would only work as intended if we had a place where the report could be initially out of public view - developer list is open right? As a simple alternative, setting up email sec...@we... and having it go to at least 3 people, or some secure non-public mail list would work too to keep the report out of public eye until assessed. Perhaps that's the way to go? Happy to support whatever is agreed. Cheers, On 13 Mar 2014, at 18:40, Phil Daintree wrote: > Yes that's how the thinking went - if we really want feedback on bugs > then we need to make it easy to report - so the forum was the place. > > I really do believe if there are issues then the developers list is > where they belong unless we have a full time administrator working on > the bug tracker. > > I am thinking of ditching the bug tracker unless anyone has violent > objections or wishes to take it on - not sure how I got talked into > putting it up! > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 20:35, icedlava wrote: >> I believe a bug tracker works if all bugs are directed there >> otherwise >> it's just overhead. I do have an account there but as there is a bugs >> forum it seems redundant (and maybe why the tracker is not used more >> - >> doesn't seem to be easy to find the tracker either). >> >>> it is still there is you are keen to pick it up and give it a >>> birthday >> If there is one supported place for tracking bugs and communication >> on >> them, I'd be happy to maintain the bug tracker or lend a hand to >> whoever >> is doing it now (even tho i'm definitely not keen on Mantis). Just >> say >> the word. >> >> My point about a security email address (directing to a private list >> or >> shared mail address) was because sometimes a person just want to >> quickly >> report something and know it's not going public. >> >> I agree with you that the developers mailing list is very useful and >> prefer it to forums. However it's public, and therefore does not fit >> the >> requirements for private reporting of security vulnerabilities. Once >> information is published there it remains public and searchable. >> >> Thanks for the feedback. >> >> cheers >> >> >> >> >> >> >> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >> >>> We already have a bug tracker. >>> >>> The snag with it though is that it is unmaintained - I can't >>> remember >>> who put their hand up keen to administer it, but they have not been >>> able >>> to keep it up. I must say I was sceptical at the time for just this >>> reason and stated up front that I did not want to maintain it >>> myself. >>> However, it is still there is you are keen to pick it up and give it >>> a >>> birthday. >>> >>> http://www.weberp.org/bugs >>> >>> What you say is good sense. However, I still feel that this is what >>> the >>> developers mailing list is for. >>> >>> Phil >>> >>> Phil Daintree >>> Logic Works Ltd - +64 (0)275 567890 >>> http://www.logicworks.co.nz >>> >>> On 13/03/14 15:27, icedlava wrote: >>>> Hi Phil, >>>> >>>> Perhaps there could be a security reporting process that attempts >>>> to >>>> keep any vulnerabilities out of public eye until they are assessed >>>> and >>>> fixed and patch posted, depending on the severity. >>>> >>>> Some security issues are not as severe as others and would not hurt >>>> being publicly posted. Others might need urgent attention and >>>> fixing >>>> prior to publishing any info or hints to it, to ensure websites are >>>> not >>>> taken advantage of prior to the fix being applied. >>>> >>>> Example : >>>> >>>> 1. All security vulnerability posts to go to an email >>>> sec...@we... that is received to a closed list, viewable >>>> only >>>> to >>>> a list of developers. There would hopefully be at least one person >>>> that >>>> could receive /read it immediately and assess the severity, or >>>> notify >>>> someone who could assess it if they didn't know. >>>> Most bug trackers also have the ability to post directly and not be >>>> viewed publicly - e.g. only viewable to a permission enabled list >>>> of >>>> people . >>>> >>>> 2. This email and/or bug tracker link could be publicised on >>>> weberp.org >>>> along with how security issues are handled. >>>> >>>> 3. If it is not a severe vulnerability, it could be publicly >>>> published >>>> to the list/forum/bug tracker for discussion or fixing >>>> >>>> 4. If it is severe and needs discussion, it could be posted to a >>>> 'closed' forum or bug tracker item that is open to all approved >>>> developers. They could address the issue, provide a patch. >>>> Once the patch is provided, it could be published openly. >>>> >>>> 5. Where a report is published openly before it becomes or is known >>>> as a >>>> severe security issue (e.g. list or forum), then hopefully before >>>> any >>>> key information is provided about it, discussion can be moved to >>>> the >>>> closed list/bug tracker for processing as in 3. This problem could >>>> be >>>> overcome by having a dedicated bug tracker that is always promoted >>>> to >>>> be >>>> used for any issue, as the bug could be hidden to the public along >>>> with >>>> any existing discussion (in most trackers) as soon as it becomes >>>> evident >>>> it's a security related one. >>>> >>>> Just a rough idea. >>>> >>>> Cheers, >>>> >>>> >>>> >>>> >>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>> >>>>> There is no secrecy here. >>>>> >>>>> If there is some issue that you are aware of then obviously the >>>>> meat >>>>> of what the issue is about needs to be contained in the message to >>>>> the >>>>> list. It is insufficient to head up a message major vulnerability >>>>> referring to private discussions - which I am unaware of BTW - and >>>>> suggest there is some major problem without any substance in the >>>>> mail >>>>> of what the issue is! Of course not many people would post such >>>>> FUD >>>>> this way. >>>>> >>>>> I prefer to have any issues completely on the (developers) table >>>>> so >>>>> we >>>>> can discuss them and come up with a solution if necessary quickly >>>>> and >>>>> advise the users ASAP. We are an open source project and well ... >>>>> open. I do however, try to keep these forums/lists free of >>>>> FUD/nonsense. >>>>> >>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>> Trial >>>>> balance - which is now fixed and I have published a note to advise >>>>> users. >>>>> >>>>> If there are any incorrect statements in messages to the list or >>>>> the >>>>> forum then I will try to remove them to avoid misleading anyone. >>>>> Although this is not always easy. >>>>> >>>>> >>>>> Phil >>>>> >>>>> Ph: +64 (0)275 567890 >>>>> Skype: daintree >>>>> http://www.logicworks.co.nz >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book >>>>> today! >>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases >>>> and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
