[Koha-devel] Koha Library Software

Frère Sébastien Marie semarie-koha at latrappe.fr
Thu Jun 2 12:14:08 CEST 2011


On Wed, Jun 01, 2011 at 09:47:05AM +0200, Paul Poulain wrote:
> 
> Next question: we've spoken of a mailing list for such vulnerabilities.
> Should we create vulnerabilities at lists.koha-community.org ? I think it
> could be helpfull.
> 

I think Koha project need a communication canal for security issues: currently, the only one I know is using the release manager mail...

And when I look in Koha code, there are work possible in security: but should I submerge release manager for 'small' issues (like using regex for sanitization before use user variables...) whereas he has enough work with 'release manager tasks' ?

I think I would be better to have 'a team' for security issues, and a place for track these.

It should be:
  - a list, as Paul propose.
  - a component in bugs.koha-community.org (like 'security' or 'vulnerabilities')
  - any other suggestions ?

Personnally, I will choose both: have a list with moderated subscription (the team security), and a component in bugzilla (where the list is the default assignee).

The list, for reporting and discussion about issues (some may need conceptual modifications), and the bugzilla component for tracking.

It seems to me, that bugzilla could mark bug as confidencial. This would permit a minimum of discretion before bug correction. But it should be public after patching or releasing.

-- 
Frère Sébastien Marie
Abbaye Notre Dame de La Trappe
61380 Soligny-la-Trappe
Tél: 02.33.84.17.00
Fax: 02.33.34.98.57
Web: http://www.latrappe.fr/


More information about the Koha-devel mailing list