Menu
▾
▴
web-erp-developers
|
From: Phil D. <ph...@lo...> - 2014-03-12 23:16:19
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <style type="text/css">.mceResizeHandle {position: absolute;border: 1px solid black;background: #FFF;width: 5px;height: 5px;z-index: 10000}.mceResizeHandle:hover {background: #000}img[data-mce-selected] {outline: 1px solid black}img.mceClonedResizable, table.mceClonedResizable {position: absolute;outline: 1px dashed black;opacity: .5;z-index: 10000} </style> </head><body style=""> <div> There is no secrecy here. </div> <div>   </div> <div> If there is some issue that you are aware of then obviously the meat of what the issue is about needs to be contained in the message to the list. It is insufficient to head up a message major vulnerability referring to private discussions - which I am unaware of BTW - and suggest there is some major problem without any substance in the mail of what the issue is!  Of course not many people would post such FUD this way. </div> <div>   </div> <div> I prefer to have any issues completely on the (developers) table so we can discuss them and come up with a solution if necessary quickly and advise the users ASAP. We are an open source project and well ... open. I do however, try to keep these forums/lists free of FUD/nonsense. </div> <div>   </div> <div> I am aware of the $AllowAnyone issue which gave access to the GL Trial balance - which is now fixed and I have published a note to advise users. </div> <div>   </div> <div> If there are any incorrect statements in messages to the list or the forum then I will try to remove them to avoid misleading anyone. Although this is not always easy. </div> <div>   </div> <div>   </div> <div id="ox-signature"> Phil <br /> <br />Ph: +64 (0)275 567890 <br />Skype: daintree <br />http://www.logicworks.co.nz </div> </body></html> |
|
From: icedlava <ice...@gm...> - 2014-03-13 02:27:50
|
Hi Phil, Perhaps there could be a security reporting process that attempts to keep any vulnerabilities out of public eye until they are assessed and fixed and patch posted, depending on the severity. Some security issues are not as severe as others and would not hurt being publicly posted. Others might need urgent attention and fixing prior to publishing any info or hints to it, to ensure websites are not taken advantage of prior to the fix being applied. Example : 1. All security vulnerability posts to go to an email sec...@we... that is received to a closed list, viewable only to a list of developers. There would hopefully be at least one person that could receive /read it immediately and assess the severity, or notify someone who could assess it if they didn't know. Most bug trackers also have the ability to post directly and not be viewed publicly - e.g. only viewable to a permission enabled list of people . 2. This email and/or bug tracker link could be publicised on weberp.org along with how security issues are handled. 3. If it is not a severe vulnerability, it could be publicly published to the list/forum/bug tracker for discussion or fixing 4. If it is severe and needs discussion, it could be posted to a 'closed' forum or bug tracker item that is open to all approved developers. They could address the issue, provide a patch. Once the patch is provided, it could be published openly. 5. Where a report is published openly before it becomes or is known as a severe security issue (e.g. list or forum), then hopefully before any key information is provided about it, discussion can be moved to the closed list/bug tracker for processing as in 3. This problem could be overcome by having a dedicated bug tracker that is always promoted to be used for any issue, as the bug could be hidden to the public along with any existing discussion (in most trackers) as soon as it becomes evident it's a security related one. Just a rough idea. Cheers, On 13 Mar 2014, at 9:46, Phil Daintree wrote: > There is no secrecy here. > > If there is some issue that you are aware of then obviously the meat > of what the issue is about needs to be contained in the message to the > list. It is insufficient to head up a message major vulnerability > referring to private discussions - which I am unaware of BTW - and > suggest there is some major problem without any substance in the mail > of what the issue is! Of course not many people would post such FUD > this way. > > I prefer to have any issues completely on the (developers) table so we > can discuss them and come up with a solution if necessary quickly and > advise the users ASAP. We are an open source project and well ... > open. I do however, try to keep these forums/lists free of > FUD/nonsense. > > I am aware of the $AllowAnyone issue which gave access to the GL Trial > balance - which is now fixed and I have published a note to advise > users. > > If there are any incorrect statements in messages to the list or the > forum then I will try to remove them to avoid misleading anyone. > Although this is not always easy. > > > Phil > > Ph: +64 (0)275 567890 > Skype: daintree > http://www.logicworks.co.nz > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech_______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
|
From: Phil D. <ph...@lo...> - 2014-03-13 07:09:33
|
We already have a bug tracker. The snag with it though is that it is unmaintained - I can't remember who put their hand up keen to administer it, but they have not been able to keep it up. I must say I was sceptical at the time for just this reason and stated up front that I did not want to maintain it myself. However, it is still there is you are keen to pick it up and give it a birthday. http://www.weberp.org/bugs What you say is good sense. However, I still feel that this is what the developers mailing list is for. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 15:27, icedlava wrote: > Hi Phil, > > Perhaps there could be a security reporting process that attempts to > keep any vulnerabilities out of public eye until they are assessed and > fixed and patch posted, depending on the severity. > > Some security issues are not as severe as others and would not hurt > being publicly posted. Others might need urgent attention and fixing > prior to publishing any info or hints to it, to ensure websites are not > taken advantage of prior to the fix being applied. > > Example : > > 1. All security vulnerability posts to go to an email > sec...@we... that is received to a closed list, viewable only to > a list of developers. There would hopefully be at least one person that > could receive /read it immediately and assess the severity, or notify > someone who could assess it if they didn't know. > Most bug trackers also have the ability to post directly and not be > viewed publicly - e.g. only viewable to a permission enabled list of > people . > > 2. This email and/or bug tracker link could be publicised on weberp.org > along with how security issues are handled. > > 3. If it is not a severe vulnerability, it could be publicly published > to the list/forum/bug tracker for discussion or fixing > > 4. If it is severe and needs discussion, it could be posted to a > 'closed' forum or bug tracker item that is open to all approved > developers. They could address the issue, provide a patch. > Once the patch is provided, it could be published openly. > > 5. Where a report is published openly before it becomes or is known as a > severe security issue (e.g. list or forum), then hopefully before any > key information is provided about it, discussion can be moved to the > closed list/bug tracker for processing as in 3. This problem could be > overcome by having a dedicated bug tracker that is always promoted to be > used for any issue, as the bug could be hidden to the public along with > any existing discussion (in most trackers) as soon as it becomes evident > it's a security related one. > > Just a rough idea. > > Cheers, > > > > > On 13 Mar 2014, at 9:46, Phil Daintree wrote: > >> There is no secrecy here. >> >> If there is some issue that you are aware of then obviously the meat >> of what the issue is about needs to be contained in the message to the >> list. It is insufficient to head up a message major vulnerability >> referring to private discussions - which I am unaware of BTW - and >> suggest there is some major problem without any substance in the mail >> of what the issue is! Of course not many people would post such FUD >> this way. >> >> I prefer to have any issues completely on the (developers) table so we >> can discuss them and come up with a solution if necessary quickly and >> advise the users ASAP. We are an open source project and well ... >> open. I do however, try to keep these forums/lists free of >> FUD/nonsense. >> >> I am aware of the $AllowAnyone issue which gave access to the GL Trial >> balance - which is now fixed and I have published a note to advise >> users. >> >> If there are any incorrect statements in messages to the list or the >> forum then I will try to remove them to avoid misleading anyone. >> Although this is not always easy. >> >> >> Phil >> >> Ph: +64 (0)275 567890 >> Skype: daintree >> http://www.logicworks.co.nz >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
|
From: icedlava <ice...@gm...> - 2014-03-13 07:35:51
|
I believe a bug tracker works if all bugs are directed there otherwise it's just overhead. I do have an account there but as there is a bugs forum it seems redundant (and maybe why the tracker is not used more - doesn't seem to be easy to find the tracker either). > it is still there is you are keen to pick it up and give it a birthday If there is one supported place for tracking bugs and communication on them, I'd be happy to maintain the bug tracker or lend a hand to whoever is doing it now (even tho i'm definitely not keen on Mantis). Just say the word. My point about a security email address (directing to a private list or shared mail address) was because sometimes a person just want to quickly report something and know it's not going public. I agree with you that the developers mailing list is very useful and prefer it to forums. However it's public, and therefore does not fit the requirements for private reporting of security vulnerabilities. Once information is published there it remains public and searchable. Thanks for the feedback. cheers On 13 Mar 2014, at 17:39, Phil Daintree wrote: > We already have a bug tracker. > > The snag with it though is that it is unmaintained - I can't remember > who put their hand up keen to administer it, but they have not been > able > to keep it up. I must say I was sceptical at the time for just this > reason and stated up front that I did not want to maintain it myself. > However, it is still there is you are keen to pick it up and give it a > birthday. > > http://www.weberp.org/bugs > > What you say is good sense. However, I still feel that this is what > the > developers mailing list is for. > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 15:27, icedlava wrote: >> Hi Phil, >> >> Perhaps there could be a security reporting process that attempts to >> keep any vulnerabilities out of public eye until they are assessed >> and >> fixed and patch posted, depending on the severity. >> >> Some security issues are not as severe as others and would not hurt >> being publicly posted. Others might need urgent attention and fixing >> prior to publishing any info or hints to it, to ensure websites are >> not >> taken advantage of prior to the fix being applied. >> >> Example : >> >> 1. All security vulnerability posts to go to an email >> sec...@we... that is received to a closed list, viewable only >> to >> a list of developers. There would hopefully be at least one person >> that >> could receive /read it immediately and assess the severity, or notify >> someone who could assess it if they didn't know. >> Most bug trackers also have the ability to post directly and not be >> viewed publicly - e.g. only viewable to a permission enabled list of >> people . >> >> 2. This email and/or bug tracker link could be publicised on >> weberp.org >> along with how security issues are handled. >> >> 3. If it is not a severe vulnerability, it could be publicly >> published >> to the list/forum/bug tracker for discussion or fixing >> >> 4. If it is severe and needs discussion, it could be posted to a >> 'closed' forum or bug tracker item that is open to all approved >> developers. They could address the issue, provide a patch. >> Once the patch is provided, it could be published openly. >> >> 5. Where a report is published openly before it becomes or is known >> as a >> severe security issue (e.g. list or forum), then hopefully before any >> key information is provided about it, discussion can be moved to the >> closed list/bug tracker for processing as in 3. This problem could be >> overcome by having a dedicated bug tracker that is always promoted to >> be >> used for any issue, as the bug could be hidden to the public along >> with >> any existing discussion (in most trackers) as soon as it becomes >> evident >> it's a security related one. >> >> Just a rough idea. >> >> Cheers, >> >> >> >> >> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >> >>> There is no secrecy here. >>> >>> If there is some issue that you are aware of then obviously the meat >>> of what the issue is about needs to be contained in the message to >>> the >>> list. It is insufficient to head up a message major vulnerability >>> referring to private discussions - which I am unaware of BTW - and >>> suggest there is some major problem without any substance in the >>> mail >>> of what the issue is! Of course not many people would post such FUD >>> this way. >>> >>> I prefer to have any issues completely on the (developers) table so >>> we >>> can discuss them and come up with a solution if necessary quickly >>> and >>> advise the users ASAP. We are an open source project and well ... >>> open. I do however, try to keep these forums/lists free of >>> FUD/nonsense. >>> >>> I am aware of the $AllowAnyone issue which gave access to the GL >>> Trial >>> balance - which is now fixed and I have published a note to advise >>> users. >>> >>> If there are any incorrect statements in messages to the list or the >>> forum then I will try to remove them to avoid misleading anyone. >>> Although this is not always easy. >>> >>> >>> Phil >>> >>> Ph: +64 (0)275 567890 >>> Skype: daintree >>> http://www.logicworks.co.nz >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
|
From: Phil D. <ph...@lo...> - 2014-03-13 08:10:33
|
Yes that's how the thinking went - if we really want feedback on bugs then we need to make it easy to report - so the forum was the place. I really do believe if there are issues then the developers list is where they belong unless we have a full time administrator working on the bug tracker. I am thinking of ditching the bug tracker unless anyone has violent objections or wishes to take it on - not sure how I got talked into putting it up! Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 20:35, icedlava wrote: > I believe a bug tracker works if all bugs are directed there otherwise > it's just overhead. I do have an account there but as there is a bugs > forum it seems redundant (and maybe why the tracker is not used more - > doesn't seem to be easy to find the tracker either). > >> it is still there is you are keen to pick it up and give it a birthday > If there is one supported place for tracking bugs and communication on > them, I'd be happy to maintain the bug tracker or lend a hand to whoever > is doing it now (even tho i'm definitely not keen on Mantis). Just say > the word. > > My point about a security email address (directing to a private list or > shared mail address) was because sometimes a person just want to quickly > report something and know it's not going public. > > I agree with you that the developers mailing list is very useful and > prefer it to forums. However it's public, and therefore does not fit the > requirements for private reporting of security vulnerabilities. Once > information is published there it remains public and searchable. > > Thanks for the feedback. > > cheers > > > > > > > On 13 Mar 2014, at 17:39, Phil Daintree wrote: > >> We already have a bug tracker. >> >> The snag with it though is that it is unmaintained - I can't remember >> who put their hand up keen to administer it, but they have not been >> able >> to keep it up. I must say I was sceptical at the time for just this >> reason and stated up front that I did not want to maintain it myself. >> However, it is still there is you are keen to pick it up and give it a >> birthday. >> >> http://www.weberp.org/bugs >> >> What you say is good sense. However, I still feel that this is what >> the >> developers mailing list is for. >> >> Phil >> >> Phil Daintree >> Logic Works Ltd - +64 (0)275 567890 >> http://www.logicworks.co.nz >> >> On 13/03/14 15:27, icedlava wrote: >>> Hi Phil, >>> >>> Perhaps there could be a security reporting process that attempts to >>> keep any vulnerabilities out of public eye until they are assessed >>> and >>> fixed and patch posted, depending on the severity. >>> >>> Some security issues are not as severe as others and would not hurt >>> being publicly posted. Others might need urgent attention and fixing >>> prior to publishing any info or hints to it, to ensure websites are >>> not >>> taken advantage of prior to the fix being applied. >>> >>> Example : >>> >>> 1. All security vulnerability posts to go to an email >>> sec...@we... that is received to a closed list, viewable only >>> to >>> a list of developers. There would hopefully be at least one person >>> that >>> could receive /read it immediately and assess the severity, or notify >>> someone who could assess it if they didn't know. >>> Most bug trackers also have the ability to post directly and not be >>> viewed publicly - e.g. only viewable to a permission enabled list of >>> people . >>> >>> 2. This email and/or bug tracker link could be publicised on >>> weberp.org >>> along with how security issues are handled. >>> >>> 3. If it is not a severe vulnerability, it could be publicly >>> published >>> to the list/forum/bug tracker for discussion or fixing >>> >>> 4. If it is severe and needs discussion, it could be posted to a >>> 'closed' forum or bug tracker item that is open to all approved >>> developers. They could address the issue, provide a patch. >>> Once the patch is provided, it could be published openly. >>> >>> 5. Where a report is published openly before it becomes or is known >>> as a >>> severe security issue (e.g. list or forum), then hopefully before any >>> key information is provided about it, discussion can be moved to the >>> closed list/bug tracker for processing as in 3. This problem could be >>> overcome by having a dedicated bug tracker that is always promoted to >>> be >>> used for any issue, as the bug could be hidden to the public along >>> with >>> any existing discussion (in most trackers) as soon as it becomes >>> evident >>> it's a security related one. >>> >>> Just a rough idea. >>> >>> Cheers, >>> >>> >>> >>> >>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>> >>>> There is no secrecy here. >>>> >>>> If there is some issue that you are aware of then obviously the meat >>>> of what the issue is about needs to be contained in the message to >>>> the >>>> list. It is insufficient to head up a message major vulnerability >>>> referring to private discussions - which I am unaware of BTW - and >>>> suggest there is some major problem without any substance in the >>>> mail >>>> of what the issue is! Of course not many people would post such FUD >>>> this way. >>>> >>>> I prefer to have any issues completely on the (developers) table so >>>> we >>>> can discuss them and come up with a solution if necessary quickly >>>> and >>>> advise the users ASAP. We are an open source project and well ... >>>> open. I do however, try to keep these forums/lists free of >>>> FUD/nonsense. >>>> >>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>> Trial >>>> balance - which is now fixed and I have published a note to advise >>>> users. >>>> >>>> If there are any incorrect statements in messages to the list or the >>>> forum then I will try to remove them to avoid misleading anyone. >>>> Although this is not always easy. >>>> >>>> >>>> Phil >>>> >>>> Ph: +64 (0)275 567890 >>>> Skype: daintree >>>> http://www.logicworks.co.nz >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
|
From: icedlava <ice...@gm...> - 2014-03-13 08:51:45
|
> Yes that's how the thinking went - if we really want feedback on bugs > then we need to make it easy to report - so the forum was the place. > hehe - in truth i've never really liked forums as I find them a bit cumbersome for tracking things and having to log in to the web. Always preferred mailing lists. Having a web based bug tracker is much the same as a forum but has the benefit that you can track, search, assign, hide, etc each bug as necessarily. i.e. better for management of issues and historical use/looking back for checking. Again, if you do want someone to manage the bug tracker then I'm happy to do it, along with anyone else that wants to volunteer. I like bug trackers a lot. But i'd recommend you put a link to the bug tracker in the forum if you do use it. I agree and think the developer list is great for discussion. The reason this came up though is due to the security reporting process - would only work as intended if we had a place where the report could be initially out of public view - developer list is open right? As a simple alternative, setting up email sec...@we... and having it go to at least 3 people, or some secure non-public mail list would work too to keep the report out of public eye until assessed. Perhaps that's the way to go? Happy to support whatever is agreed. Cheers, On 13 Mar 2014, at 18:40, Phil Daintree wrote: > Yes that's how the thinking went - if we really want feedback on bugs > then we need to make it easy to report - so the forum was the place. > > I really do believe if there are issues then the developers list is > where they belong unless we have a full time administrator working on > the bug tracker. > > I am thinking of ditching the bug tracker unless anyone has violent > objections or wishes to take it on - not sure how I got talked into > putting it up! > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 20:35, icedlava wrote: >> I believe a bug tracker works if all bugs are directed there >> otherwise >> it's just overhead. I do have an account there but as there is a bugs >> forum it seems redundant (and maybe why the tracker is not used more >> - >> doesn't seem to be easy to find the tracker either). >> >>> it is still there is you are keen to pick it up and give it a >>> birthday >> If there is one supported place for tracking bugs and communication >> on >> them, I'd be happy to maintain the bug tracker or lend a hand to >> whoever >> is doing it now (even tho i'm definitely not keen on Mantis). Just >> say >> the word. >> >> My point about a security email address (directing to a private list >> or >> shared mail address) was because sometimes a person just want to >> quickly >> report something and know it's not going public. >> >> I agree with you that the developers mailing list is very useful and >> prefer it to forums. However it's public, and therefore does not fit >> the >> requirements for private reporting of security vulnerabilities. Once >> information is published there it remains public and searchable. >> >> Thanks for the feedback. >> >> cheers >> >> >> >> >> >> >> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >> >>> We already have a bug tracker. >>> >>> The snag with it though is that it is unmaintained - I can't >>> remember >>> who put their hand up keen to administer it, but they have not been >>> able >>> to keep it up. I must say I was sceptical at the time for just this >>> reason and stated up front that I did not want to maintain it >>> myself. >>> However, it is still there is you are keen to pick it up and give it >>> a >>> birthday. >>> >>> http://www.weberp.org/bugs >>> >>> What you say is good sense. However, I still feel that this is what >>> the >>> developers mailing list is for. >>> >>> Phil >>> >>> Phil Daintree >>> Logic Works Ltd - +64 (0)275 567890 >>> http://www.logicworks.co.nz >>> >>> On 13/03/14 15:27, icedlava wrote: >>>> Hi Phil, >>>> >>>> Perhaps there could be a security reporting process that attempts >>>> to >>>> keep any vulnerabilities out of public eye until they are assessed >>>> and >>>> fixed and patch posted, depending on the severity. >>>> >>>> Some security issues are not as severe as others and would not hurt >>>> being publicly posted. Others might need urgent attention and >>>> fixing >>>> prior to publishing any info or hints to it, to ensure websites are >>>> not >>>> taken advantage of prior to the fix being applied. >>>> >>>> Example : >>>> >>>> 1. All security vulnerability posts to go to an email >>>> sec...@we... that is received to a closed list, viewable >>>> only >>>> to >>>> a list of developers. There would hopefully be at least one person >>>> that >>>> could receive /read it immediately and assess the severity, or >>>> notify >>>> someone who could assess it if they didn't know. >>>> Most bug trackers also have the ability to post directly and not be >>>> viewed publicly - e.g. only viewable to a permission enabled list >>>> of >>>> people . >>>> >>>> 2. This email and/or bug tracker link could be publicised on >>>> weberp.org >>>> along with how security issues are handled. >>>> >>>> 3. If it is not a severe vulnerability, it could be publicly >>>> published >>>> to the list/forum/bug tracker for discussion or fixing >>>> >>>> 4. If it is severe and needs discussion, it could be posted to a >>>> 'closed' forum or bug tracker item that is open to all approved >>>> developers. They could address the issue, provide a patch. >>>> Once the patch is provided, it could be published openly. >>>> >>>> 5. Where a report is published openly before it becomes or is known >>>> as a >>>> severe security issue (e.g. list or forum), then hopefully before >>>> any >>>> key information is provided about it, discussion can be moved to >>>> the >>>> closed list/bug tracker for processing as in 3. This problem could >>>> be >>>> overcome by having a dedicated bug tracker that is always promoted >>>> to >>>> be >>>> used for any issue, as the bug could be hidden to the public along >>>> with >>>> any existing discussion (in most trackers) as soon as it becomes >>>> evident >>>> it's a security related one. >>>> >>>> Just a rough idea. >>>> >>>> Cheers, >>>> >>>> >>>> >>>> >>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>> >>>>> There is no secrecy here. >>>>> >>>>> If there is some issue that you are aware of then obviously the >>>>> meat >>>>> of what the issue is about needs to be contained in the message to >>>>> the >>>>> list. It is insufficient to head up a message major vulnerability >>>>> referring to private discussions - which I am unaware of BTW - and >>>>> suggest there is some major problem without any substance in the >>>>> mail >>>>> of what the issue is! Of course not many people would post such >>>>> FUD >>>>> this way. >>>>> >>>>> I prefer to have any issues completely on the (developers) table >>>>> so >>>>> we >>>>> can discuss them and come up with a solution if necessary quickly >>>>> and >>>>> advise the users ASAP. We are an open source project and well ... >>>>> open. I do however, try to keep these forums/lists free of >>>>> FUD/nonsense. >>>>> >>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>> Trial >>>>> balance - which is now fixed and I have published a note to advise >>>>> users. >>>>> >>>>> If there are any incorrect statements in messages to the list or >>>>> the >>>>> forum then I will try to remove them to avoid misleading anyone. >>>>> Although this is not always easy. >>>>> >>>>> >>>>> Phil >>>>> >>>>> Ph: +64 (0)275 567890 >>>>> Skype: daintree >>>>> http://www.logicworks.co.nz >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book >>>>> today! >>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases >>>> and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
|
From: TimSchofield5 <ti...@we...> - 2014-03-13 07:38:00
|
Phil, I didn't put the details in for the reasons Jo has said, that it would help any malicious person. I did refer you to the email that Exson sent you regarding the matter, and that email did provide full details. If you wanted more information surely the correct thing to do was ask, rather than block my forum access? Tim ----- For those wondering about the constant nastiness and abuse that Phil Daintree fires at me, the facts can be found here at http://weberpafrica.blogspot.co.uk/ -- View this message in context: http://weberp-accounting.1478800.n4.nabble.com/Reporting-Of-Issues-tp4657245p4657249.html Sent from the web-ERP-developers mailing list archive at Nabble.com. |
|
From: Tim S. <tim...@gm...> - 2014-03-13 07:39:24
|
Phil, I didn't put the details in for the reasons Jo has said, that it would help any malicious person. I did refer you to the email that Exson sent you regarding the matter, and that email did provide full details. If you wanted more information surely the correct thing to do was ask, rather than block my forum access? Tim On 12 March 2014 23:16, Phil Daintree <ph...@lo...> wrote: > There is no secrecy here. > > If there is some issue that you are aware of then obviously the meat of > what the issue is about needs to be contained in the message to the list. > It is insufficient to head up a message major vulnerability referring to > private discussions - which I am unaware of BTW - and suggest there is some > major problem without any substance in the mail of what the issue is! Of > course not many people would post such FUD this way. > > I prefer to have any issues completely on the (developers) table so we > can discuss them and come up with a solution if necessary quickly and > advise the users ASAP. We are an open source project and well ... open. I > do however, try to keep these forums/lists free of FUD/nonsense. > > I am aware of the $AllowAnyone issue which gave access to the GL Trial > balance - which is now fixed and I have published a note to advise users. > > If there are any incorrect statements in messages to the list or the > forum then I will try to remove them to avoid misleading anyone. Although > this is not always easy. > > > Phil > > Ph: +64 (0)275 567890 > Skype: daintree > http://www.logicworks.co.nz > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > -- Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk/ |
|
From: icedlava <ice...@gm...> - 2014-03-13 07:54:00
|
Tim, What do you think of the ideas for some security reporting process as I posted in separate thread? Any suggestions? Cheers, On 13 Mar 2014, at 18:09, Tim Schofield wrote: > Phil, > > I didn't put the details in for the reasons Jo has said, that it > would > help any malicious person. I did refer you to the email that Exson > sent you > regarding the matter, and that email did provide full details. > > If you wanted more information surely the correct thing to do was ask, > rather than block my forum access? > > Tim > > > On 12 March 2014 23:16, Phil Daintree <ph...@lo...> wrote: > >> There is no secrecy here. >> >> If there is some issue that you are aware of then obviously the meat >> of >> what the issue is about needs to be contained in the message to the >> list. >> It is insufficient to head up a message major vulnerability referring >> to >> private discussions - which I am unaware of BTW - and suggest there >> is some >> major problem without any substance in the mail of what the issue is! >> Of >> course not many people would post such FUD this way. >> >> I prefer to have any issues completely on the (developers) table so >> we >> can discuss them and come up with a solution if necessary quickly and >> advise the users ASAP. We are an open source project and well ... >> open. I >> do however, try to keep these forums/lists free of FUD/nonsense. >> >> I am aware of the $AllowAnyone issue which gave access to the GL >> Trial >> balance - which is now fixed and I have published a note to advise >> users. >> >> If there are any incorrect statements in messages to the list or the >> forum then I will try to remove them to avoid misleading anyone. >> Although >> this is not always easy. >> >> >> Phil >> >> Ph: +64 (0)275 567890 >> Skype: daintree >> http://www.logicworks.co.nz >> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> >> > > > -- > Course View Towers, > Plot 21 Yusuf Lule Road, > Kampala > T +256 (0) 312 314 418 > M +256 (0) 752 963 325 > www.weberpafrica.com > Twitter: @TimSchofield2 > Blog: http://weberpafrica.blogspot.co.uk/ |
|
From: Phil D. <ph...@lo...> - 2014-03-13 09:01:28
|
OK we have a new sec...@we... address that goes to Jo/Exson and I If you want to have a go at the bug tracker it is all yours. I am not keen to upload some other software though. Phil Phil Daintree Logic Works Ltd - +64 (0)275 567890 http://www.logicworks.co.nz On 13/03/14 21:51, icedlava wrote: >> Yes that's how the thinking went - if we really want feedback on bugs >> then we need to make it easy to report - so the forum was the place. >> > hehe - in truth i've never really liked forums as I find them a bit > cumbersome for tracking things and having to log in to the web. Always > preferred mailing lists. > > Having a web based bug tracker is much the same as a forum but has the > benefit that you can track, search, assign, hide, etc each bug as > necessarily. i.e. better for management of issues and historical > use/looking back for checking. > > Again, if you do want someone to manage the bug tracker then I'm happy > to do it, along with anyone else that wants to volunteer. I like bug > trackers a lot. But i'd recommend you put a link to the bug tracker in > the forum if you do use it. > > I agree and think the developer list is great for discussion. > > The reason this came up though is due to the security reporting process > - would only work as intended if we had a place where the report could > be initially out of public view - developer list is open right? > > As a simple alternative, setting up email sec...@we... and having > it go to at least 3 people, or some secure non-public mail list would > work too to keep the report out of public eye until assessed. Perhaps > that's the way to go? > > Happy to support whatever is agreed. > > Cheers, > > > On 13 Mar 2014, at 18:40, Phil Daintree wrote: > >> Yes that's how the thinking went - if we really want feedback on bugs >> then we need to make it easy to report - so the forum was the place. >> >> I really do believe if there are issues then the developers list is >> where they belong unless we have a full time administrator working on >> the bug tracker. >> >> I am thinking of ditching the bug tracker unless anyone has violent >> objections or wishes to take it on - not sure how I got talked into >> putting it up! >> >> Phil >> >> Phil Daintree >> Logic Works Ltd - +64 (0)275 567890 >> http://www.logicworks.co.nz >> >> On 13/03/14 20:35, icedlava wrote: >>> I believe a bug tracker works if all bugs are directed there >>> otherwise >>> it's just overhead. I do have an account there but as there is a bugs >>> forum it seems redundant (and maybe why the tracker is not used more >>> - >>> doesn't seem to be easy to find the tracker either). >>> >>>> it is still there is you are keen to pick it up and give it a >>>> birthday >>> If there is one supported place for tracking bugs and communication >>> on >>> them, I'd be happy to maintain the bug tracker or lend a hand to >>> whoever >>> is doing it now (even tho i'm definitely not keen on Mantis). Just >>> say >>> the word. >>> >>> My point about a security email address (directing to a private list >>> or >>> shared mail address) was because sometimes a person just want to >>> quickly >>> report something and know it's not going public. >>> >>> I agree with you that the developers mailing list is very useful and >>> prefer it to forums. However it's public, and therefore does not fit >>> the >>> requirements for private reporting of security vulnerabilities. Once >>> information is published there it remains public and searchable. >>> >>> Thanks for the feedback. >>> >>> cheers >>> >>> >>> >>> >>> >>> >>> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >>> >>>> We already have a bug tracker. >>>> >>>> The snag with it though is that it is unmaintained - I can't >>>> remember >>>> who put their hand up keen to administer it, but they have not been >>>> able >>>> to keep it up. I must say I was sceptical at the time for just this >>>> reason and stated up front that I did not want to maintain it >>>> myself. >>>> However, it is still there is you are keen to pick it up and give it >>>> a >>>> birthday. >>>> >>>> http://www.weberp.org/bugs >>>> >>>> What you say is good sense. However, I still feel that this is what >>>> the >>>> developers mailing list is for. >>>> >>>> Phil >>>> >>>> Phil Daintree >>>> Logic Works Ltd - +64 (0)275 567890 >>>> http://www.logicworks.co.nz >>>> >>>> On 13/03/14 15:27, icedlava wrote: >>>>> Hi Phil, >>>>> >>>>> Perhaps there could be a security reporting process that attempts >>>>> to >>>>> keep any vulnerabilities out of public eye until they are assessed >>>>> and >>>>> fixed and patch posted, depending on the severity. >>>>> >>>>> Some security issues are not as severe as others and would not hurt >>>>> being publicly posted. Others might need urgent attention and >>>>> fixing >>>>> prior to publishing any info or hints to it, to ensure websites are >>>>> not >>>>> taken advantage of prior to the fix being applied. >>>>> >>>>> Example : >>>>> >>>>> 1. All security vulnerability posts to go to an email >>>>> sec...@we... that is received to a closed list, viewable >>>>> only >>>>> to >>>>> a list of developers. There would hopefully be at least one person >>>>> that >>>>> could receive /read it immediately and assess the severity, or >>>>> notify >>>>> someone who could assess it if they didn't know. >>>>> Most bug trackers also have the ability to post directly and not be >>>>> viewed publicly - e.g. only viewable to a permission enabled list >>>>> of >>>>> people . >>>>> >>>>> 2. This email and/or bug tracker link could be publicised on >>>>> weberp.org >>>>> along with how security issues are handled. >>>>> >>>>> 3. If it is not a severe vulnerability, it could be publicly >>>>> published >>>>> to the list/forum/bug tracker for discussion or fixing >>>>> >>>>> 4. If it is severe and needs discussion, it could be posted to a >>>>> 'closed' forum or bug tracker item that is open to all approved >>>>> developers. They could address the issue, provide a patch. >>>>> Once the patch is provided, it could be published openly. >>>>> >>>>> 5. Where a report is published openly before it becomes or is known >>>>> as a >>>>> severe security issue (e.g. list or forum), then hopefully before >>>>> any >>>>> key information is provided about it, discussion can be moved to >>>>> the >>>>> closed list/bug tracker for processing as in 3. This problem could >>>>> be >>>>> overcome by having a dedicated bug tracker that is always promoted >>>>> to >>>>> be >>>>> used for any issue, as the bug could be hidden to the public along >>>>> with >>>>> any existing discussion (in most trackers) as soon as it becomes >>>>> evident >>>>> it's a security related one. >>>>> >>>>> Just a rough idea. >>>>> >>>>> Cheers, >>>>> >>>>> >>>>> >>>>> >>>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>>> >>>>>> There is no secrecy here. >>>>>> >>>>>> If there is some issue that you are aware of then obviously the >>>>>> meat >>>>>> of what the issue is about needs to be contained in the message to >>>>>> the >>>>>> list. It is insufficient to head up a message major vulnerability >>>>>> referring to private discussions - which I am unaware of BTW - and >>>>>> suggest there is some major problem without any substance in the >>>>>> mail >>>>>> of what the issue is! Of course not many people would post such >>>>>> FUD >>>>>> this way. >>>>>> >>>>>> I prefer to have any issues completely on the (developers) table >>>>>> so >>>>>> we >>>>>> can discuss them and come up with a solution if necessary quickly >>>>>> and >>>>>> advise the users ASAP. We are an open source project and well ... >>>>>> open. I do however, try to keep these forums/lists free of >>>>>> FUD/nonsense. >>>>>> >>>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>>> Trial >>>>>> balance - which is now fixed and I have published a note to advise >>>>>> users. >>>>>> >>>>>> If there are any incorrect statements in messages to the list or >>>>>> the >>>>>> forum then I will try to remove them to avoid misleading anyone. >>>>>> Although this is not always easy. >>>>>> >>>>>> >>>>>> Phil >>>>>> >>>>>> Ph: +64 (0)275 567890 >>>>>> Skype: daintree >>>>>> http://www.logicworks.co.nz >>>>>> ------------------------------------------------------------------------------ >>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>> and >>>>>> their >>>>>> applications. Written by three acclaimed leaders in the field, >>>>>> this first edition is now available. Download your free book >>>>>> today! >>>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>>> Web-erp-developers mailing list >>>>>> Web...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book today! >>>>> http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >> >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > |
|
From: icedlava <ice...@gm...> - 2014-03-13 11:12:32
|
Hi Phil, Thanks for setting those up. Do you mind if we add something on the Problems/Bugs forum description such as: "Please report potential security issues by email to: sec...@we..." As previously mentioned, the bug tracker might be extra overhead at the moment if you are using the forum as well, but perhaps others might like to use it. Any thoughts from people? I can take look at the bug tracker - if it is of some benefit we could continue with it. I don't mind taking care of it if it is wanted. Cheers, On 13 Mar 2014, at 19:31, Phil Daintree wrote: > OK we have a new > > sec...@we... > > address that goes to Jo/Exson and I > > If you want to have a go at the bug tracker it is all yours. I am not > keen to upload some other software though. > > Phil > > Phil Daintree > Logic Works Ltd - +64 (0)275 567890 > http://www.logicworks.co.nz > > On 13/03/14 21:51, icedlava wrote: >>> Yes that's how the thinking went - if we really want feedback on >>> bugs >>> then we need to make it easy to report - so the forum was the place. >>> >> hehe - in truth i've never really liked forums as I find them a bit >> cumbersome for tracking things and having to log in to the web. >> Always >> preferred mailing lists. >> >> Having a web based bug tracker is much the same as a forum but has >> the >> benefit that you can track, search, assign, hide, etc each bug as >> necessarily. i.e. better for management of issues and historical >> use/looking back for checking. >> >> Again, if you do want someone to manage the bug tracker then I'm >> happy >> to do it, along with anyone else that wants to volunteer. I like bug >> trackers a lot. But i'd recommend you put a link to the bug tracker >> in >> the forum if you do use it. >> >> I agree and think the developer list is great for discussion. >> >> The reason this came up though is due to the security reporting >> process >> - would only work as intended if we had a place where the report >> could >> be initially out of public view - developer list is open right? >> >> As a simple alternative, setting up email sec...@we... and >> having >> it go to at least 3 people, or some secure non-public mail list would >> work too to keep the report out of public eye until assessed. Perhaps >> that's the way to go? >> >> Happy to support whatever is agreed. >> >> Cheers, >> >> >> On 13 Mar 2014, at 18:40, Phil Daintree wrote: >> >>> Yes that's how the thinking went - if we really want feedback on >>> bugs >>> then we need to make it easy to report - so the forum was the place. >>> >>> I really do believe if there are issues then the developers list is >>> where they belong unless we have a full time administrator working >>> on >>> the bug tracker. >>> >>> I am thinking of ditching the bug tracker unless anyone has violent >>> objections or wishes to take it on - not sure how I got talked into >>> putting it up! >>> >>> Phil >>> >>> Phil Daintree >>> Logic Works Ltd - +64 (0)275 567890 >>> http://www.logicworks.co.nz >>> >>> On 13/03/14 20:35, icedlava wrote: >>>> I believe a bug tracker works if all bugs are directed there >>>> otherwise >>>> it's just overhead. I do have an account there but as there is a >>>> bugs >>>> forum it seems redundant (and maybe why the tracker is not used >>>> more >>>> - >>>> doesn't seem to be easy to find the tracker either). >>>> >>>>> it is still there is you are keen to pick it up and give it a >>>>> birthday >>>> If there is one supported place for tracking bugs and communication >>>> on >>>> them, I'd be happy to maintain the bug tracker or lend a hand to >>>> whoever >>>> is doing it now (even tho i'm definitely not keen on Mantis). Just >>>> say >>>> the word. >>>> >>>> My point about a security email address (directing to a private >>>> list >>>> or >>>> shared mail address) was because sometimes a person just want to >>>> quickly >>>> report something and know it's not going public. >>>> >>>> I agree with you that the developers mailing list is very useful >>>> and >>>> prefer it to forums. However it's public, and therefore does not >>>> fit >>>> the >>>> requirements for private reporting of security vulnerabilities. >>>> Once >>>> information is published there it remains public and searchable. >>>> >>>> Thanks for the feedback. >>>> >>>> cheers >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 13 Mar 2014, at 17:39, Phil Daintree wrote: >>>> >>>>> We already have a bug tracker. >>>>> >>>>> The snag with it though is that it is unmaintained - I can't >>>>> remember >>>>> who put their hand up keen to administer it, but they have not >>>>> been >>>>> able >>>>> to keep it up. I must say I was sceptical at the time for just >>>>> this >>>>> reason and stated up front that I did not want to maintain it >>>>> myself. >>>>> However, it is still there is you are keen to pick it up and give >>>>> it >>>>> a >>>>> birthday. >>>>> >>>>> http://www.weberp.org/bugs >>>>> >>>>> What you say is good sense. However, I still feel that this is >>>>> what >>>>> the >>>>> developers mailing list is for. >>>>> >>>>> Phil >>>>> >>>>> Phil Daintree >>>>> Logic Works Ltd - +64 (0)275 567890 >>>>> http://www.logicworks.co.nz >>>>> >>>>> On 13/03/14 15:27, icedlava wrote: >>>>>> Hi Phil, >>>>>> >>>>>> Perhaps there could be a security reporting process that attempts >>>>>> to >>>>>> keep any vulnerabilities out of public eye until they are >>>>>> assessed >>>>>> and >>>>>> fixed and patch posted, depending on the severity. >>>>>> >>>>>> Some security issues are not as severe as others and would not >>>>>> hurt >>>>>> being publicly posted. Others might need urgent attention and >>>>>> fixing >>>>>> prior to publishing any info or hints to it, to ensure websites >>>>>> are >>>>>> not >>>>>> taken advantage of prior to the fix being applied. >>>>>> >>>>>> Example : >>>>>> >>>>>> 1. All security vulnerability posts to go to an email >>>>>> sec...@we... that is received to a closed list, viewable >>>>>> only >>>>>> to >>>>>> a list of developers. There would hopefully be at least one >>>>>> person >>>>>> that >>>>>> could receive /read it immediately and assess the severity, or >>>>>> notify >>>>>> someone who could assess it if they didn't know. >>>>>> Most bug trackers also have the ability to post directly and not >>>>>> be >>>>>> viewed publicly - e.g. only viewable to a permission enabled list >>>>>> of >>>>>> people . >>>>>> >>>>>> 2. This email and/or bug tracker link could be publicised on >>>>>> weberp.org >>>>>> along with how security issues are handled. >>>>>> >>>>>> 3. If it is not a severe vulnerability, it could be publicly >>>>>> published >>>>>> to the list/forum/bug tracker for discussion or fixing >>>>>> >>>>>> 4. If it is severe and needs discussion, it could be posted to a >>>>>> 'closed' forum or bug tracker item that is open to all approved >>>>>> developers. They could address the issue, provide a patch. >>>>>> Once the patch is provided, it could be published openly. >>>>>> >>>>>> 5. Where a report is published openly before it becomes or is >>>>>> known >>>>>> as a >>>>>> severe security issue (e.g. list or forum), then hopefully before >>>>>> any >>>>>> key information is provided about it, discussion can be moved to >>>>>> the >>>>>> closed list/bug tracker for processing as in 3. This problem >>>>>> could >>>>>> be >>>>>> overcome by having a dedicated bug tracker that is always >>>>>> promoted >>>>>> to >>>>>> be >>>>>> used for any issue, as the bug could be hidden to the public >>>>>> along >>>>>> with >>>>>> any existing discussion (in most trackers) as soon as it becomes >>>>>> evident >>>>>> it's a security related one. >>>>>> >>>>>> Just a rough idea. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 13 Mar 2014, at 9:46, Phil Daintree wrote: >>>>>> >>>>>>> There is no secrecy here. >>>>>>> >>>>>>> If there is some issue that you are aware of then obviously the >>>>>>> meat >>>>>>> of what the issue is about needs to be contained in the message >>>>>>> to >>>>>>> the >>>>>>> list. It is insufficient to head up a message major >>>>>>> vulnerability >>>>>>> referring to private discussions - which I am unaware of BTW - >>>>>>> and >>>>>>> suggest there is some major problem without any substance in the >>>>>>> mail >>>>>>> of what the issue is! Of course not many people would post such >>>>>>> FUD >>>>>>> this way. >>>>>>> >>>>>>> I prefer to have any issues completely on the (developers) table >>>>>>> so >>>>>>> we >>>>>>> can discuss them and come up with a solution if necessary >>>>>>> quickly >>>>>>> and >>>>>>> advise the users ASAP. We are an open source project and well >>>>>>> ... >>>>>>> open. I do however, try to keep these forums/lists free of >>>>>>> FUD/nonsense. >>>>>>> >>>>>>> I am aware of the $AllowAnyone issue which gave access to the GL >>>>>>> Trial >>>>>>> balance - which is now fixed and I have published a note to >>>>>>> advise >>>>>>> users. >>>>>>> >>>>>>> If there are any incorrect statements in messages to the list or >>>>>>> the >>>>>>> forum then I will try to remove them to avoid misleading anyone. >>>>>>> Although this is not always easy. >>>>>>> >>>>>>> >>>>>>> Phil >>>>>>> >>>>>>> Ph: +64 (0)275 567890 >>>>>>> Skype: daintree >>>>>>> http://www.logicworks.co.nz >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>>> and >>>>>>> their >>>>>>> applications. Written by three acclaimed leaders in the field, >>>>>>> this first edition is now available. Download your free book >>>>>>> today! >>>>>>> http://p.sf.net/sfu/13534_NeoTech_______________________________________________ >>>>>>> Web-erp-developers mailing list >>>>>>> Web...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>>> ------------------------------------------------------------------------------ >>>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>>> "Graph Databases" is the definitive new guide to graph databases >>>>>> and >>>>>> their >>>>>> applications. Written by three acclaimed leaders in the field, >>>>>> this first edition is now available. Download your free book >>>>>> today! >>>>>> http://p.sf.net/sfu/13534_NeoTech >>>>>> _______________________________________________ >>>>>> Web-erp-developers mailing list >>>>>> Web...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>>> ------------------------------------------------------------------------------ >>>>> Learn Graph Databases - Download FREE O'Reilly Book >>>>> "Graph Databases" is the definitive new guide to graph databases >>>>> and >>>>> their >>>>> applications. Written by three acclaimed leaders in the field, >>>>> this first edition is now available. Download your free book >>>>> today! >>>>> http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> Web-erp-developers mailing list >>>>> Web...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> ------------------------------------------------------------------------------ >>>> Learn Graph Databases - Download FREE O'Reilly Book >>>> "Graph Databases" is the definitive new guide to graph databases >>>> and >>>> their >>>> applications. Written by three acclaimed leaders in the field, >>>> this first edition is now available. Download your free book today! >>>> http://p.sf.net/sfu/13534_NeoTech >>>> _______________________________________________ >>>> Web-erp-developers mailing list >>>> Web...@li... >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>>> >>> >>> ------------------------------------------------------------------------------ >>> Learn Graph Databases - Download FREE O'Reilly Book >>> "Graph Databases" is the definitive new guide to graph databases and >>> their >>> applications. Written by three acclaimed leaders in the field, >>> this first edition is now available. Download your free book today! >>> http://p.sf.net/sfu/13534_NeoTech >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> ------------------------------------------------------------------------------ >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases and >> their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book today! >> http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >> > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and > their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X