[mapserver-dev] Motion: Updating the security reporting and workflow process
Jeff McKenna
jmckenna at gatewaygeomatics.com
Fri Feb 28 09:59:09 PST 2020
Note that we should always be careful not to send the full email alias
in text, as spam bots will attack it when they harvest the web. Trust
me, you'll see this soon if we post that address in email body and in
html. "mapserver-security (at) blah (dot) com"
-jeff
On 2020-02-28 1:56 p.m., Steve Lime wrote:
> Actually that's probably not an issue if the issues are filed via
> mapserver-security at osgeo.org <mailto:mapserver-security at osgeo.org> and
> then we create the tickets.
>
> On Fri, Feb 28, 2020 at 11:42 AM Steve Lime <sdlime at gmail.com
> <mailto:sdlime at gmail.com>> wrote:
>
> Only drag with that is contributors need osgeo ids.
>
> On Fri, Feb 28, 2020 at 11:36 AM Michael Smith
> <michael.smith.erdc at gmail.com <mailto:michael.smith.erdc at gmail.com>>
> wrote:
>
> OSGeo has gitea in SAC. We can have a private mapserver repo
> there. ____
>
> __ __
>
> Mike____
>
> __ __
>
> __ __
>
> --____
>
> Michael Smith____
>
> OSGeo Foundation Treasurer____
>
> treasurer at osgeo.org <mailto:treasurer at osgeo.org>____
>
> __ __
>
> __ __
>
> *From: *mapserver-dev <mapserver-dev-bounces at lists.osgeo.org
> <mailto:mapserver-dev-bounces at lists.osgeo.org>> on behalf of
> Steve Lime <sdlime at gmail.com <mailto:sdlime at gmail.com>>
> *Date: *Friday, February 28, 2020 at 12:16 PM
> *To: *Even Rouault <even.rouault at spatialys.com
> <mailto:even.rouault at spatialys.com>>
> *Cc: *MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org
> <mailto:mapserver-dev at lists.osgeo.org>>
> *Subject: *Re: [mapserver-dev] Motion: Updating the security
> reporting and workflow process____
>
> __ __
>
> The collaborator limit does kinda suck. We can't host private
> repos under the MapServer account. Github want projects to move
> to "teams" - $304/mo based on our current size. Gitlab would
> certainly work for a single purpose private repo. ____
>
> __ __
>
> On Fri, Feb 28, 2020 at 11:06 AM Even Rouault
> <even.rouault at spatialys.com <mailto:even.rouault at spatialys.com>>
> wrote:____
>
> On vendredi 28 février 2020 12:36:54 CET Jeff McKenna wrote:
> > There is now a new alias that users can send an initial
> report to, that
> > forwards to all PSC members: mapserver-security (at)
> osgeo (dot) org
> >
> > SteveL has also setup a private 'mapserver-private'
> repository on
> > Github, to handle valid security reports, privately.
> >
> > So therefore:
> >
> > Motion: update documentation
> > (https://mapserver.org/development/bugs.html) to list the
> steps to
> > report a security concern, mentioning the first step of
> sending report
> > to mapserver-security (at), and second step of a PSC
> member creating a
> > ticket in the 'mapserver-private' repository.
>
> As apparently there's a limit to the number of collaborators
> for a private
> github repo, perhaps GitLab could be an option ?
> Some doc at
> https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html
> (I've not experience with that myself.)
>
> Even
>
> --
> Spatialys - Geospatial professional services
> http://www.spatialys.com
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> <mailto:mapserver-dev at lists.osgeo.org>
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
>
> _______________________________________________ mapserver-dev
> mailing list mapserver-dev at lists.osgeo.org
> <mailto:mapserver-dev at lists.osgeo.org>
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
--
Jeff McKenna
MapServer Consulting and Training Services
https://gatewaygeomatics.com/
More information about the mapserver-dev
mailing list