Create a Security category in the forum

Hi devs,

I’d like to propose to move away from the Security mailing list and instead use this discourse forum (same as what we did for the user and devs mailing lists in the past).

Here’s my +1

Thanks

+1

How do we proceed for the migration from the ML? Is sending a mail to announce the new forum and assign the right to see the security section enough? (I’m not sure how many people are on the ML)

Fine with me.

I doubt we can do much more.

At the moment I’m tending towards -1, the reason is the following:

The security policy explicitly mentions that the mailing list can be contacted without being a member. The security mailing list is therefore the only place where security issues can be reported without registering an account in one of our systems. I think we should keep such a place as people might refrain from creating an account to report an issue and we should not discourage people from reporting security issues. Apart from that, mailing lists have the nice property that you can include or exclude external people in a discussion (by sending emails to them in addition to the list) and this can be useful if somebody wants to discuss something related to security without creating an issue - maybe it is not clear that it is an issue, for example.

I would be willing to change my opinion if we instead create a separate mailing list that is actively monitored by at least two committers and can be used by external people as security contact if they want to discuss an issue. The people on this list would then be responsible to forward the issue to the forum or Jira if appropriate and keep the contacting person informed about the progress. As this is quite a lot more work than keeping the current security mailing list I’m not sure this is a good idea.

In any case, I think this is something that should be discussed with XWiki SAS (the currently sole sponsoring company) if this hasn’t been done yet as this seems quite a big change in terms of security policy and the possibilities to report security issues which might be relevant for customers that, e.g., expect that a certain form of security contact possibility exists.

I’m +1 that we move the discussions between people who have rights to see security ML in the forum, and to take decisions related to security there.

Now I agree with @MichaelHamann on the fact that we need a channel for people to contact us about security issues. Note that even if the ML exists and we’re referring to it in our policy, it doesn’t mean that people are using it for this… I don’t think I ever see someone using that ML for informing us about a security issue in the past 3 years.

So I’d say we should agree to keep an email contact address to write us about a security issue, which could be actually the committers email address.

I’m +1 if we implement the proposal by @surli and keep a security contact email address that redirects (or is) the committers email address.

+1, IMO it’s better to keep the current address (security@xwiki.org) and redirect it to committers address

Good point. I’ve checked and we can’t allow people to just create a new topic in a category if they can’t see its posts (they even need to have the “reply” right on the category). It would have been an interesting feature of Discourse to see a private categories in the list of categories without being able to view its content and to be able to create a new post in it (which can be moderated, there’s a setting for this).

So it seems we need to keep the mail alias for now, which is ok.

Thx

I’ve now:

TODO:

Regarding security@xwiki.org my opinion is that it’s no really needed and we should remove it and direct user to report security issues using jira. The advantage of jira is:

  • it logs a task to do and we won’t forget it.
  • the user must be authenticated and it’s good to know who we’re talking to. Since the user is authenticated any comment we put will be received too. Yes, it’s a little bit more complex than using a mailing list without registration.

I’m still in favor of keeping the security@xwiki.org contact, possibly redirecting to the committers list simply due to the reason that email is a commonly accepted standard for a simple way to establish a first contact without requiring any account registration etc.

My understanding is that at the moment nobody is receiving notification emails for Jira issues they are watching so users won’t be notified when we comment on an issue they reported so the likelihood is high that they won’t notice the comment. This is something we need to solve but as this has been reported several times during the past months my hopes are low that it will be solved anytime soon.

+1

I agree, it does not cost much to keep the security@xwiki.org contact.

The reality is that we almost never receive emails on the security list but we do get jira issues created.

I’ve checked and since 2013 we’ve received 1 mail on this list, not coming from us …

We’re indicating this email as contact information in every security advisory we’re publishing. These security advisories are distributed to places where they most likely will never be updated again, so even with a lot of effort we cannot change this contact information anymore. Therefore, I think we should definitely keep this email alias.

@vmassol There are still incoming emails on the security list from Jira, do you plan to let Jira post on this form, too? My understanding was that we would only keep the security contact email as external contact that redirects to the committers list, so I think those emails from Jira should also be transformed into forum posts.

That might be a bit of work, since I think we did not configure the support for that yet AFAIK. Also, I’m not a fan of creating a forum post for something which is a notification (but maybe that was your point too).

I’m also not sure about creating forum posts, but we should do something with these notifications such that they reach all the people that previously got them. Even if we keep the security contact, my understanding was that not everybody who previously got the email will still get them. We could keep the security list in its current form (but then I don’t see the point of duplicating it in the forum) or we could teach Jira to directly send those notifications to all involved people. Maybe we could do this based on the existing groups in Jira, i.e., send them to everybody in the respective user groups?