Reporting security bugs
Hi, There is now a mechanism in place for reporting security bugs via Bugzilla. If you look at the footer, you should now see a 'Report security bug' link. This allows someone who has a Bugzilla account to enter a bug in a new BZ product called 'Koha security'. Bugs reported in this fashion are visible only to the reporter and to members of a Koha security group currently consisting of the following individuals: Bernardo Gonzalez Kriegel Chris Cormack Frère Sébastien Marie Fridolin SOMERS Galen Charlton Ian Walls Jared Camins-Esakov Jonathan Druart Katrin Fischer Kyle M Hall M. de Rooy MJ Ray (software.coop) Paul Poulain Robin Sheat Tomás Cohen Arazi The idea is that members of the security group would be responsible for evaluating the bugs, fixing them (and drawing in outside help if needed), and releasing the fixes. Once a fix is released, the relevant bug(s) would be sanitized to remove mention of direct exploits, then have their products changed to 'Koha' so that they would be visible to all. This is not set in stone, so I invite discussion of the security policy. I also invite anybody who may have been sitting on security bugs for lack of a means to report them securely to go ahead and use BZ. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
Galen Charlton schreef op di 04-02-2014 om 14:40 [-0800]:
This is not set in stone, so I invite discussion of the security policy. I also invite anybody who may have been sitting on security bugs for lack of a means to report them securely to go ahead and use BZ.
I'd suggest adding a link on this page: http://koha-community.org/support/search-bugs/ for reporting a security issue, that takes you straight to the appropriate reporting link. Also, would it perhaps be good to autosubscribe the people on that list to the bug (if that's not happening already)? -- Robin Sheat Catalyst IT Ltd. ✆ +64 4 803 2204 GPG: 5FA7 4B49 1E4D CAA4 4C38 8505 77F5 B724 F871 3BDF
I've created the page http://www.koha-community.org/security explicitly for this purpose. Liz On 05/02/14 11:52, Robin Sheat wrote:
Galen Charlton schreef op di 04-02-2014 om 14:40 [-0800]:
This is not set in stone, so I invite discussion of the security policy. I also invite anybody who may have been sitting on security bugs for lack of a means to report them securely to go ahead and use BZ. I'd suggest adding a link on this page: http://koha-community.org/support/search-bugs/ for reporting a security issue, that takes you straight to the appropriate reporting link.
Also, would it perhaps be good to autosubscribe the people on that list to the bug (if that's not happening already)?
_______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
Hi, On Tue, Feb 4, 2014 at 2:52 PM, Robin Sheat <robin@catalyst.net.nz> wrote:
Also, would it perhaps be good to autosubscribe the people on that list to the bug (if that's not happening already)?
We'll need to figure out the best way of doing this, since there is no way in BZ to specify that members of a given group should receive all notifications for a given component. Options include: [1] Individually including everybody in the security team on the component's default CC list. I don't like this because of the maintenance burden and because it reduces the member's control over what gets emailed to them. [2] Creating a private email list that would become the default assignee or the default CC list. Such a list could also be used for internal security discussions. This is my preference. [3] Creating a special account that becomes the default assignee, and that members of the security team could choose to "follow" in BZ. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: gmc@esilibrary.com direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org
participants (3)
-
Galen Charlton -
Liz Rea -
Robin Sheat