Security Policy for contrib projects

surli · March 11, 2021, 9:14am

Hi everyone,

we adopted a security policy for XWiki few months ago (XWiki Security Policy (Community.SecurityPolicy.WebHome) - XWiki) but we never really clarified the security policy for XWiki contrib extensions.
IMO contrib extensions should follow the same policy and we should mention it in http://contrib.xwiki.org/xwiki/bin/view/Main/WebHome.

In practice I see one improvment that we should made for this to happen: right now the security issues are created in JIRA and marked as confidential and only few people can read them. It would make sense that the lead of a project could always see the confidential issue of her own contrib project, even if she doesn’t have the right to see all confidential issue.

WDYT?

tmortagne · March 11, 2021, 9:43am

Jira project leads don’t already have the right to see all the issues of the project ?

surli · March 11, 2021, 9:46am

I honestly don’t know. But we need to check that if the policy is aimed to be adopted for contrib projects.

tmortagne · March 11, 2021, 10:06am

Not sure this point really need to be explicit in the policy but sure the project lead should have access to all the project issues.

vmassol · March 11, 2021, 10:15am

Note that contrib projects are already supposed to follow the rules at https://dev.xwiki.org/ already (see https://contrib.xwiki.org/xwiki/bin/view/Main/WebHome#HDevelopmentPractices).

Sounds good.

surli · March 11, 2021, 11:09am

I assumed that yes, here the proposal is more to emphasize about the need to comply to the same security policy by mentioning it in contrib.xwiki.org. In the future we can imagine amending this policy specifically for contrib: for example if we consider that the embargo delay should be different from XWiki Standard.

Sure I didn’t mean to mention that in the policy, just to check it since it’s a technicality that might prevent complying to the policy.