[mapserver-dev] Motion: Updating the security reporting and workflow process

Rahkonen Jukka (MML) jukka.rahkonen at maanmittauslaitos.fi
Fri Feb 28 10:15:50 PST 2020 

Hi,

In Geoserver project we don't receive especially much spam to geoserver-security (at) lists dot osgeo dot org but I do not know if that OSGeo hosted list has spam filters. Jody Garnett probably knows. But somehow I feel that during these AI times there is already  an algorithm somewhere that knows to connect (at) with @.

-Jukka-

-----Alkuperäinen viesti-----
Lähettäjä: mapserver-dev <mapserver-dev-bounces at lists.osgeo.org> Puolesta Jeff McKenna
Lähetetty: perjantai 28. helmikuuta 2020 19.59
Vastaanottaja: mapserver-dev at lists.osgeo.org
Aihe: Re: [mapserver-dev] Motion: Updating the security reporting and workflow process

Note that we should always be careful not to send the full email alias in text, as spam bots will attack it when they harvest the web.  Trust me, you'll see this soon if we post that address in email body and in html.  "mapserver-security (at) blah (dot) com"

-jeff



On 2020-02-28 1:56 p.m., Steve Lime wrote:
> Actually that's probably not an issue if the issues are filed via 
> mapserver-security at osgeo.org <mailto:mapserver-security at osgeo.org> and 
> then we create the tickets.
> 
> On Fri, Feb 28, 2020 at 11:42 AM Steve Lime <sdlime at gmail.com 
> <mailto:sdlime at gmail.com>> wrote:
> 
>     Only drag with that is contributors need osgeo ids.
> 
>     On Fri, Feb 28, 2020 at 11:36 AM Michael Smith
>     <michael.smith.erdc at gmail.com <mailto:michael.smith.erdc at gmail.com>>
>     wrote:
> 
>         OSGeo has gitea in SAC. We can have a private mapserver repo
>         there. ____
> 
>         __ __
> 
>         Mike____
> 
>         __ __
> 
>         __ __
> 
>         --____
> 
>         Michael Smith____
> 
>         OSGeo Foundation Treasurer____
> 
>         treasurer at osgeo.org <mailto:treasurer at osgeo.org>____
> 
>         __ __
> 
>         __ __
> 
>         *From: *mapserver-dev <mapserver-dev-bounces at lists.osgeo.org
>         <mailto:mapserver-dev-bounces at lists.osgeo.org>> on behalf of
>         Steve Lime <sdlime at gmail.com <mailto:sdlime at gmail.com>>
>         *Date: *Friday, February 28, 2020 at 12:16 PM
>         *To: *Even Rouault <even.rouault at spatialys.com
>         <mailto:even.rouault at spatialys.com>>
>         *Cc: *MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org
>         <mailto:mapserver-dev at lists.osgeo.org>>
>         *Subject: *Re: [mapserver-dev] Motion: Updating the security
>         reporting and workflow process____
> 
>         __ __
> 
>         The collaborator limit does kinda suck. We can't host private
>         repos under the MapServer account. Github want projects to move
>         to "teams" - $304/mo based on our current size. Gitlab would
>         certainly work for a single purpose private repo. ____
> 
>         __ __
> 
>         On Fri, Feb 28, 2020 at 11:06 AM Even Rouault
>         <even.rouault at spatialys.com <mailto:even.rouault at spatialys.com>>
>         wrote:____
> 
>             On vendredi 28 février 2020 12:36:54 CET Jeff McKenna wrote:
>              > There is now a new alias that users can send an initial
>             report to, that
>              > forwards to all PSC members: mapserver-security (at)
>             osgeo (dot) org
>              >
>              > SteveL has also setup a private 'mapserver-private'
>             repository on
>              > Github, to handle valid security reports, privately.
>              >
>              > So therefore:
>              >
>              > Motion: update documentation
>              > (https://mapserver.org/development/bugs.html) to list the
>             steps to
>              > report a security concern, mentioning the first step of
>             sending report
>              > to mapserver-security (at), and second step of a PSC
>             member creating a
>              > ticket in the 'mapserver-private' repository.
> 
>             As apparently there's a limit to the number of collaborators
>             for a private
>             github repo, perhaps GitLab could be an option ?
>             Some doc at
>             https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html
>             (I've not experience with that myself.)
> 
>             Even
> 
>             -- 
>             Spatialys - Geospatial professional services
>             http://www.spatialys.com
>             _______________________________________________
>             mapserver-dev mailing list
>             mapserver-dev at lists.osgeo.org
>             <mailto:mapserver-dev at lists.osgeo.org>
>             https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
> 
>         _______________________________________________ mapserver-dev
>         mailing list mapserver-dev at lists.osgeo.org
>         <mailto:mapserver-dev at lists.osgeo.org>
>         https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
> 
> 
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
> 


--
Jeff McKenna
MapServer Consulting and Training Services https://gatewaygeomatics.com/ _______________________________________________
mapserver-dev mailing list
mapserver-dev at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-dev

More information about the mapserver-dev mailing list