[Koha-devel] Koha Library Software

[Chris Cormack]

2011/6/2 Frère Sébastien <semarie-koha at latrappe.fr>:
> On Wed, Jun 01, 2011 at 09:47:05AM +0200, Paul Poulain wrote:
>>
>> Next question: we've spoken of a mailing list for such vulnerabilities.
>> Should we create vulnerabilities at lists.koha-community.org ? I think it
>> could be helpfull.
>>
>
> I think Koha project need a communication canal for security issues: currently, the only one I know is using the release manager mail...
>
> And when I look in Koha code, there are work possible in security: but should I submerge release manager for 'small' issues (like using regex for sanitization before use user variables...) whereas he has enough work with 'release manager tasks' ?
>
> I think I would be better to have 'a team' for security issues, and a place for track these.
>
> It should be:
>  - a list, as Paul propose.
>  - a component in bugs.koha-community.org (like 'security' or 'vulnerabilities')
>  - any other suggestions ?
>
> Personnally, I will choose both: have a list with moderated subscription (the team security), and a component in bugzilla (where the list is the default assignee).
>
> The list, for reporting and discussion about issues (some may need conceptual modifications), and the bugzilla component for tracking.
>
> It seems to me, that bugzilla could mark bug as confidencial. This would permit a minimum of discretion before bug correction. But it should be public after patching or releasing.
>
I like these ideas. Do we have any dissenting opinions or should we make it so?
In talking to my friends who work in security, they suggest a page
prominently displayed somewhere that tells people how to let us know
about security issues.

Also never feel like you are bothering me, I would always, always
rather know of any problems than not, So for the time being, if you
know of any issues, let me know. You can gpg encrypt the mail using my
gpg key if you wish.

But lets get a more formal and documented process set up.

Chris