Security teams for xwiki-contrib repositories

surli · May 20, 2026, 3:13pm

Hi everyone,

I discovered today that by default contributors of xwiki-contrib repositories don’t have the capability to create draft advisories in Github repositories they’re contributing in.

So I propose to clarify the situation with the following:

to have an xwiki-contrib security team (as a Github team), with the same people that are in xwiki organization security team: the people in that team would have access to all draft advisories of the xwiki-contrib organization. I’d edit the Security Policy instructions when adding a new security member to also edit that team
to document that maintainers of an xwiki-contrib repo can grant access to advisories of their repo to individual people, after a request is performed on the forum, following basically the same process we have currently but for a specific xwiki-contrib project

The idea is that most people who contribute to XWiki standard code also contribute to extension and if they have security clearance to XS they should have same for xwiki-contrib. And then other contributors could also have security clearance for specific extensions.

WDYT?

tmortagne · May 20, 2026, 3:31pm

The team actually already exist, but was probably a bit forgotten so +1. We anyway need that so that people of the main security team can access contrib extensions vulnerabilities (which, I assume, is something we want anyway), and it’s apparently not possible to give access to a team from another organization.

+1, the only alternative is to grant maintain role instead of write role to the xwikiorg team in all contrib repositories, but I’m not sure we want to do that (not a fan on my side).

mleduc · May 26, 2026, 2:44pm

tmortagne:

surli:

to have an xwiki-contrib security team (as a Github team), with the same people that are in xwiki organization security team: the people in that team would have access to all draft advisories of the xwiki-contrib organization. I’d edit the Security Policy instructions when adding a new security member to also edit that team

The team actually already exist, but was probably a bit forgotten so +1. We anyway need that so that people of the main security team can access contrib extensions vulnerabilities (which, I assume, is something we want anyway), and it’s apparently not possible to give access to a team from another organization.

surli:

to document that maintainers of an xwiki-contrib repo can grant access to advisories of their repo to individual people, after a request is performed on the forum, following basically the same process we have currently but for a specific xwiki-contrib project

+1, the only alternative is to grant maintain role instead of write role to the xwikiorg team in all contrib repositories, but I’m not sure we want to do that (not a fan on my side).

+1

vmassol · May 30, 2026, 5:43pm

Is your proposal to make the project leads members of the xwiki-contrib security team by default? Right now, most leads fo contrib projects are not members of the xwiki org security team.

I don’t think project leads of contrib repos (or users with write access) have the permissions to grant access to advisories (they won’t see advisories themselves unless we do something, see my comment to point 1 above).

When someone asks for a contrib repo, we just give write access to the xwikiorg team, see https://contrib.xwiki.org/xwiki/bin/view/Main/WebHome#HGitHubRepositoryCreation

Thx

surli · June 1, 2026, 8:36am

it’s not part of my proposal no, as I’m not sure we systematically want any project lead to be able to see any advisory of any contrib repo.

Hmmm however that might be something we want to change: I thouth project lead had admin rights on their repo. Now this probably should be part of another proposal.