Menu
▾
▴
Re: [WebERP-developers] Reporting Of Issues
|
From: icedlava <ice...@gm...> - 2014-03-13 11:12:32
|
Hi Phil, Thanks for setting those up. Do you mind if we add something on the Problems/Bugs forum description such as: "Please report potential security issues by email to: sec...@we..." As previously mentioned, the bug tracker might be extra overhead at the moment if you are using the forum as well, but perhaps others might like to use it. Any thoughts from people? I can take look at the bug tracker - if it is of some benefit we could continue with it. I don't mind taking care of it if it is wanted. Cheers, On 13 Mar 2014, at 19:31, Phil Daintree wrote: > OK we have a new > > sec...@we... > > address that goes to Jo/Exson and I > > If you want to have a go at the bug tracker it is all yours. I am not > keen to upload some other software though. > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 21:51, icedlava wrote: >>> Yes that's how the thinking went - if we really want feedback on >>> bugs >>> then we need to make it easy to report - so the forum was the place. >>> >> hehe - in truth i've never really liked forums as I find them a bit >> cumbersome for tracking things and having to log in to the web. >> Always >> preferred mailing lists. >> >> Having a web based bug tracker is much the same as a forum but has >> the >> benefit that you can track, search, assign, hide, etc each bug as >> necessarily. i.e. better for management of issues and historical >> use/looking back for checking. >> >> Again, if you do want someone to manage the bug tracker then I'm >> happy >> to do it, along with anyone else that wants to volunteer. I like bug >> trackers a lot. But i'd recommend you put a link to the bug tracker >> in >> the forum if you do use it. >> >> I agree and think the developer list is great for discussion. >> >> The reason this came up though is due to the security reporting >> process >> - would only work as intended if we had a place where the report >> could >> be initially out of public view - developer list is open right? >> >> As a simple alternative, setting up email sec...@we... and >> having >> it go to at least 3 people, or some secure non-public mail list would >> work too to keep the report out of public eye until assessed. Perhaps >> that's the way to go? >> >> Happy to support whatever is agreed. >> >> Cheers, >> >> >> On 13 Mar 2014, at 18:40, Phil Daintree wrote: >> >>> Yes that's how the thinking went - if we really want feedback on >>> bugs >>> then we need to make it easy to report - so the forum was the place. >>> >>> I really do believe if there are issues then the developers list is >>> where they belong unless we have a full time administrator working >>> on >>> the bug tracker. >>> >>> I am thinking of ditching the bug tracker unless anyone has violent >>> objections or wishes to take it on - not sure how I got talked into >>> putting it up! >>> >>> Phil >>> >>> Phil Daintree >>> Logic Works Ltd - +64 (0)275 567890 >>> http://www.logicworks.co.nz >>> >>> On 13/03/14 20:35, icedlava wrote: >>>> I believe a bug tracker works if all bugs are directed there >>>> otherwise >>>> it's just overhead. I do have an account there but as there is a >>>> bugs >>>> forum it seems redundant (and maybe why the tracker is not used >>>> more >>>> - >>>> doesn't seem to be easy to find the tracker either). >>>> >>>>> it is still there is you are keen to pick it up and give it a >>>>> birthday >>>> If there is one supported place for tracking bugs and communication >>>> on >>>> them, I'd be happy to maintain the bug tracker or lend a hand to >>>> whoever >>>> is doing it now (even tho i'm definitely not keen on Mantis). Just >>>> say >>>> the word. >>>> >>>> My point about a security email address (directing to a private >>>> list >>>> or >>>> shared mail address) was because sometimes a person just want to >>>> quickly >>>> report something and know it's not going public. >>>> >>>> I agree with you that the developers mailing list is very useful >>>> and >>>> prefer it to forums. However it's public, and therefore does not >>>> fit >>>> the >>>> requirements for private reporting of security vulnerabilities. >>>> Once >>>> information is published there it remains public and searchable. >>>> >>>> Thanks for the feedback. >>>> >>>> cheers >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >>>> >>>>> We already have a bug tracker. >>>>> >>>>> The snag with it though is that it is unmaintained - I can't >>>>> remember >>>>> who put their hand up keen to administer it, but they have not >>>>> been >>>>> able >>>>> to keep it up. I must say I was sceptical at the time for just >>>>> this >>>>> reason and stated up front that I did not want to maintain it >>>>> myself. >>>>> However, it is still there is you are keen to pick it up and give >>>>> it >>>>> a >>>>> birthday. >>>>> >>>>> http://www.weberp.org/bugs >>>>> >>>>> What you say is good sense. However, I still feel that this is >>>>> what >>>>> the >>>>> developers mailing list is for. >>>>> >>>>> Phil >>>>> >>>>> Phil Daintree >>>>> Logic Works Ltd - +64 (0)275 567890 >>>>> http://www.logicworks.co.nz >>>>> >>>>> On 13/03/14 15:27, icedlava wrote: >>>>>> Hi Phil, >>>>>> >>>>>> Perhaps there could be a security reporting process that attempts >>>>>> to >>>>>> keep any vulnerabilities out of public eye until they are >>>>>> assessed >>>>>> and >>>>>> fixed and patch posted, depending on the severity. >>>>>> >>>>>> Some security issues are not as severe as others and would not >>>>>> hurt >>>>>> being publicly posted. Others might need urgent attention and >>>>>> fixing >>>>>> prior to publishing any info or hints to it, to ensure websites >>>>>> are >>>>>> not >>>>>> taken advantage of prior to the fix being applied. >>>>>> >>>>>> Example : >>>>>> >>>>>> 1. All security vulnerability posts to go to an email >>>>>> sec...@we... that is received to a closed list, viewable >>>>>> only >>>>>> to >>>>>> a list of developers. There would hopefully be at least one >>>>>> person >>>>>> that >>>>>> could receive /read it immediately and assess the severity, or >>>>>> notify >>>>>> someone who could assess it if they didn't know. >>>>>> Most bug trackers also have the ability to post directly and not >>>>>> be >>>>>> viewed publicly - e.g. only viewable to a permission enabled list >>>>>> of >>>>>> people . >>>>>> >>>>>> 2. This email and/or bug tracker link could be publicised on >>>>>> weberp.org >>>>>> along with how security issues are handled. >>>>>> >>>>>> 3. If it is not a severe vulnerability, it could be publicly >>>>>> published >>>>>> to the list/forum/bug tracker for discussion or fixing >>>>>> >>>>>> 4. If it is severe and needs discussion, it could be posted to a >>>>>> 'closed' forum or bug tracker item that is open to all approved >>>>>> developers. They could address the issue, provide a patch. >>>>>> Once the patch is provided, it could be published openly. >>>>>> >>>>>> 5. Where a report is published openly before it becomes or is >>>>>> known >>>>>> as a >>>>>> severe security issue (e.g. list or forum), then hopefully before >>>>>> any >>>>>> key information is provided about it, discussion can be moved to >>>>>> the >>>>>> closed list/bug tracker for processing as in 3. This problem >>>>>> could >>>>>> be >>>>>> overcome by having a dedicated bug tracker that is always >>>>>> promoted >>>>>> to >>>>>> be >>>>>> used for any issue, as the bug could be hidden to the public >>>>>> along >>>>>> with >>>>>> any existing discussion (in most trackers) as soon as it becomes >>>>>> evident >>>>>> it's a security related one. >>>>>> >>>>>> Just a rough idea. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>>>> >>>>>>> There is no secrecy here. >>>>>>> >>>>>>> If there is some issue that you are aware of then obviously the >>>>>>> meat >>>>>>> of what the issue is about needs to be contained in the message >>>>>>> to >>>>>>> the >>>>>>> list. It is insufficient to head up a message major >>>>>>> vulnerability >>>>>>> referring to private discussions - which I am unaware of BTW - >>>>>>> and >>>>>>> suggest there is some major problem without any substance in the >>>>>>> mail >>>>>>> of what the issue is! Of course not many people would post such >>>>>>> FUD >>>>>>> this way. >>>>>>> >>>>>>> I prefer to have any issues completely on the (developers) table >>>>>>> so >>>>>>> we >>>>>>> can discuss them and come up with a solution if necessary >>>>>>> quickly >>>>>>> and >>>>>>> advise the users ASAP. We are an open source project and well >>>>>>> ... >>>>>>> open. I do however, try to keep these forums/lists free of >>>>>>> FUD/nonsense. >>>>>>> >>>>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>>>> Trial >>>>>>> balance - which is now fixed and I have published a note to >>>>>>> advise >>>>>>> users. >>>>>>> >>>>>>> If there are any incorrect statements in messages to the list or >>>>>>> the >>>>>>> forum then I will try to remove them to avoid misleading anyone. >>>>>>> Although this is not always easy. >>>>>>> >>>>>>> >>>>>>> Phil >>>>>>> >>>>>>> Ph: +64 (0)275 567890 >>>>>>> Skype: daintree >>>>>>> http://www.logicworks.co.nz >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>>> and >>>>>>> their >>>>>>> applications. Written by three acclaimed leaders in the field, >>>>>>> this first edition is now available. Download your free book >>>>>>> today! >>>>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>>>> Web-erp-developers mailing list >>>>>>> Web...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>>> ------------------------------------------------------------------------------ >>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>> and >>>>>> their >>>>>> applications. Written by three acclaimed leaders in the field, >>>>>> this first edition is now available. Download your free book >>>>>> today! >>>>>> http://p.sf.net/sfu/13534_NeoTech >>>>>> _______________________________________________ >>>>>> Web-erp-developers mailing list >>>>>> Web...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book >>>>> today! >>>>> http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases >>>> and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
