Chris Cormack wrote:
2011/6/2 Frère Sébastien <semarie-koha@latrappe.fr>:
On Wed, Jun 01, 2011 at 09:47:05AM +0200, Paul Poulain wrote:
Next question: we've spoken of a mailing list for such vulnerabilities. Should we create vulnerabilities@lists.koha-community.org ? I think it could be helpfull.
I think Koha project need a communication canal for security issues: currently, the only one I know is using the release manager mail... [...] Personnally, I will choose both: have a list with moderated subscription (the team security), and a component in bugzilla (where the list is the default assignee). [...] I like these ideas. Do we have any dissenting opinions or should we make it so?
Please, no closed list for development discussions. If someone finds a security vulnerability and has a support provider, they should tell them. If they do not, contact the project release manager - hopefully we always have release managers who value security highly. I'd encourage everyone to practice full disclosure and discuss them on the BTS or koha-devel as much as possible. Hope that explains, -- MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op. http://koha-community.org supporter, web and LMS developer, statistician. In My Opinion Only: see http://mjr.towers.org.uk/email.html Available for hire for Koha work http://www.software.coop/products/koha