Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: Phil D. <ph...@lo...> - 2014-03-13 09:01:28
|
OK we have a new sec...@we... address that goes to Jo/Exson and I If you want to have a go at the bug tracker it is all yours. I am not keen to upload some other software though. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 21:51, icedlava wrote: >> Yes that's how the thinking went - if we really want feedback on bugs >> then we need to make it easy to report - so the forum was the place. >> > hehe - in truth i've never really liked forums as I find them a bit > cumbersome for tracking things and having to log in to the web. Always > preferred mailing lists. > > Having a web based bug tracker is much the same as a forum but has the > benefit that you can track, search, assign, hide, etc each bug as > necessarily. i.e. better for management of issues and historical > use/looking back for checking. > > Again, if you do want someone to manage the bug tracker then I'm happy > to do it, along with anyone else that wants to volunteer. I like bug > trackers a lot. But i'd recommend you put a link to the bug tracker in > the forum if you do use it. > > I agree and think the developer list is great for discussion. > > The reason this came up though is due to the security reporting process > - would only work as intended if we had a place where the report could > be initially out of public view - developer list is open right? > > As a simple alternative, setting up email sec...@we... and having > it go to at least 3 people, or some secure non-public mail list would > work too to keep the report out of public eye until assessed. Perhaps > that's the way to go? > > Happy to support whatever is agreed. > > Cheers, > > > On 13 Mar 2014, at 18:40, Phil Daintree wrote: > >> Yes that's how the thinking went - if we really want feedback on bugs >> then we need to make it easy to report - so the forum was the place. >> >> I really do believe if there are issues then the developers list is >> where they belong unless we have a full time administrator working on >> the bug tracker. >> >> I am thinking of ditching the bug tracker unless anyone has violent >> objections or wishes to take it on - not sure how I got talked into >> putting it up! >> >> Phil >> >> Phil Daintree >> Logic Works Ltd - +64 (0)275 567890 >> http://www.logicworks.co.nz >> >> On 13/03/14 20:35, icedlava wrote: >>> I believe a bug tracker works if all bugs are directed there >>> otherwise >>> it's just overhead. I do have an account there but as there is a bugs >>> forum it seems redundant (and maybe why the tracker is not used more >>> - >>> doesn't seem to be easy to find the tracker either). >>> >>>> it is still there is you are keen to pick it up and give it a >>>> birthday >>> If there is one supported place for tracking bugs and communication >>> on >>> them, I'd be happy to maintain the bug tracker or lend a hand to >>> whoever >>> is doing it now (even tho i'm definitely not keen on Mantis). Just >>> say >>> the word. >>> >>> My point about a security email address (directing to a private list >>> or >>> shared mail address) was because sometimes a person just want to >>> quickly >>> report something and know it's not going public. >>> >>> I agree with you that the developers mailing list is very useful and >>> prefer it to forums. However it's public, and therefore does not fit >>> the >>> requirements for private reporting of security vulnerabilities. Once >>> information is published there it remains public and searchable. >>> >>> Thanks for the feedback. >>> >>> cheers >>> >>> >>> >>> >>> >>> >>> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >>> >>>> We already have a bug tracker. >>>> >>>> The snag with it though is that it is unmaintained - I can't >>>> remember >>>> who put their hand up keen to administer it, but they have not been >>>> able >>>> to keep it up. I must say I was sceptical at the time for just this >>>> reason and stated up front that I did not want to maintain it >>>> myself. >>>> However, it is still there is you are keen to pick it up and give it >>>> a >>>> birthday. >>>> >>>> http://www.weberp.org/bugs >>>> >>>> What you say is good sense. However, I still feel that this is what >>>> the >>>> developers mailing list is for. >>>> >>>> Phil >>>> >>>> Phil Daintree >>>> Logic Works Ltd - +64 (0)275 567890 >>>> http://www.logicworks.co.nz >>>> >>>> On 13/03/14 15:27, icedlava wrote: >>>>> Hi Phil, >>>>> >>>>> Perhaps there could be a security reporting process that attempts >>>>> to >>>>> keep any vulnerabilities out of public eye until they are assessed >>>>> and >>>>> fixed and patch posted, depending on the severity. >>>>> >>>>> Some security issues are not as severe as others and would not hurt >>>>> being publicly posted. Others might need urgent attention and >>>>> fixing >>>>> prior to publishing any info or hints to it, to ensure websites are >>>>> not >>>>> taken advantage of prior to the fix being applied. >>>>> >>>>> Example : >>>>> >>>>> 1. All security vulnerability posts to go to an email >>>>> sec...@we... that is received to a closed list, viewable >>>>> only >>>>> to >>>>> a list of developers. There would hopefully be at least one person >>>>> that >>>>> could receive /read it immediately and assess the severity, or >>>>> notify >>>>> someone who could assess it if they didn't know. >>>>> Most bug trackers also have the ability to post directly and not be >>>>> viewed publicly - e.g. only viewable to a permission enabled list >>>>> of >>>>> people . >>>>> >>>>> 2. This email and/or bug tracker link could be publicised on >>>>> weberp.org >>>>> along with how security issues are handled. >>>>> >>>>> 3. If it is not a severe vulnerability, it could be publicly >>>>> published >>>>> to the list/forum/bug tracker for discussion or fixing >>>>> >>>>> 4. If it is severe and needs discussion, it could be posted to a >>>>> 'closed' forum or bug tracker item that is open to all approved >>>>> developers. They could address the issue, provide a patch. >>>>> Once the patch is provided, it could be published openly. >>>>> >>>>> 5. Where a report is published openly before it becomes or is known >>>>> as a >>>>> severe security issue (e.g. list or forum), then hopefully before >>>>> any >>>>> key information is provided about it, discussion can be moved to >>>>> the >>>>> closed list/bug tracker for processing as in 3. This problem could >>>>> be >>>>> overcome by having a dedicated bug tracker that is always promoted >>>>> to >>>>> be >>>>> used for any issue, as the bug could be hidden to the public along >>>>> with >>>>> any existing discussion (in most trackers) as soon as it becomes >>>>> evident >>>>> it's a security related one. >>>>> >>>>> Just a rough idea. >>>>> >>>>> Cheers, >>>>> >>>>> >>>>> >>>>> >>>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>>> >>>>>> There is no secrecy here. >>>>>> >>>>>> If there is some issue that you are aware of then obviously the >>>>>> meat >>>>>> of what the issue is about needs to be contained in the message to >>>>>> the >>>>>> list. It is insufficient to head up a message major vulnerability >>>>>> referring to private discussions - which I am unaware of BTW - and >>>>>> suggest there is some major problem without any substance in the >>>>>> mail >>>>>> of what the issue is! Of course not many people would post such >>>>>> FUD >>>>>> this way. >>>>>> >>>>>> I prefer to have any issues completely on the (developers) table >>>>>> so >>>>>> we >>>>>> can discuss them and come up with a solution if necessary quickly >>>>>> and >>>>>> advise the users ASAP. We are an open source project and well ... >>>>>> open. I do however, try to keep these forums/lists free of >>>>>> FUD/nonsense. >>>>>> >>>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>>> Trial >>>>>> balance - which is now fixed and I have published a note to advise >>>>>> users. >>>>>> >>>>>> If there are any incorrect statements in messages to the list or >>>>>> the >>>>>> forum then I will try to remove them to avoid misleading anyone. >>>>>> Although this is not always easy. >>>>>> >>>>>> >>>>>> Phil >>>>>> >>>>>> Ph: +64 (0)275 567890 >>>>>> Skype: daintree >>>>>> http://www.logicworks.co.nz >>>>>> ------------------------------------------------------------------------------ >>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>> and >>>>>> their >>>>>> applications. Written by three acclaimed leaders in the field, >>>>>> this first edition is now available. Download your free book >>>>>> today! >>>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>>> Web-erp-developers mailing list >>>>>> Web...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book today! >>>>> http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
