<div dir="ltr">+1 - that'll work.<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 28, 2020 at 3:07 PM Jeff McKenna <<a href="mailto:jmckenna@gatewaygeomatics.com">jmckenna@gatewaygeomatics.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">So an updated motion, according to the workflow put in place today :<br>
<br>
Motion: update documentation <br>
(<a href="https://mapserver.org/development/bugs.html" rel="noreferrer" target="_blank">https://mapserver.org/development/bugs.html</a>) to list the steps to <br>
report a security concern, mentioning the first step of sending report <br>
to mapserver-security(at), and second step of a PSC member creating a <br>
ticket in the 'mapserver-private' Gitea repository, and final step of <br>
informing other projects of the vulnerability through security-priv.<br>
<br>
+1 jeff<br>
<br>
<br>
<br>
On 2020-02-28 2:15 p.m., Rahkonen Jukka (MML) wrote:<br>
> Hi,<br>
> <br>
> In Geoserver project we don't receive especially much spam to geoserver-security (at) lists dot osgeo dot org but I do not know if that OSGeo hosted list has spam filters. Jody Garnett probably knows. But somehow I feel that during these AI times there is already an algorithm somewhere that knows to connect (at) with @.<br>
> <br>
> -Jukka-<br>
> <br>
> -----Alkuperäinen viesti-----<br>
> Lähettäjä: mapserver-dev <<a href="mailto:mapserver-dev-bounces@lists.osgeo.org" target="_blank">mapserver-dev-bounces@lists.osgeo.org</a>> Puolesta Jeff McKenna<br>
> Lähetetty: perjantai 28. helmikuuta 2020 19.59<br>
> Vastaanottaja: <a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
> Aihe: Re: [mapserver-dev] Motion: Updating the security reporting and workflow process<br>
> <br>
> Note that we should always be careful not to send the full email alias in text, as spam bots will attack it when they harvest the web. Trust me, you'll see this soon if we post that address in email body and in html. "mapserver-security (at) blah (dot) com"<br>
> <br>
> -jeff<br>
> <br>
> <br>
> <br>
> On 2020-02-28 1:56 p.m., Steve Lime wrote:<br>
>> Actually that's probably not an issue if the issues are filed via<br>
>> <a href="mailto:mapserver-security@osgeo.org" target="_blank">mapserver-security@osgeo.org</a> <mailto:<a href="mailto:mapserver-security@osgeo.org" target="_blank">mapserver-security@osgeo.org</a>> and<br>
>> then we create the tickets.<br>
>><br>
>> On Fri, Feb 28, 2020 at 11:42 AM Steve Lime <<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a><br>
>> <mailto:<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a>>> wrote:<br>
>><br>
>> Only drag with that is contributors need osgeo ids.<br>
>><br>
>> On Fri, Feb 28, 2020 at 11:36 AM Michael Smith<br>
>> <<a href="mailto:michael.smith.erdc@gmail.com" target="_blank">michael.smith.erdc@gmail.com</a> <mailto:<a href="mailto:michael.smith.erdc@gmail.com" target="_blank">michael.smith.erdc@gmail.com</a>>><br>
>> wrote:<br>
>><br>
>> OSGeo has gitea in SAC. We can have a private mapserver repo<br>
>> there. ____<br>
>><br>
>> __ __<br>
>><br>
>> Mike____<br>
>><br>
>> __ __<br>
>><br>
>> __ __<br>
>><br>
>> --____<br>
>><br>
>> Michael Smith____<br>
>><br>
>> OSGeo Foundation Treasurer____<br>
>><br>
>> <a href="mailto:treasurer@osgeo.org" target="_blank">treasurer@osgeo.org</a> <mailto:<a href="mailto:treasurer@osgeo.org" target="_blank">treasurer@osgeo.org</a>>____<br>
>><br>
>> __ __<br>
>><br>
>> __ __<br>
>><br>
>> *From: *mapserver-dev <<a href="mailto:mapserver-dev-bounces@lists.osgeo.org" target="_blank">mapserver-dev-bounces@lists.osgeo.org</a><br>
>> <mailto:<a href="mailto:mapserver-dev-bounces@lists.osgeo.org" target="_blank">mapserver-dev-bounces@lists.osgeo.org</a>>> on behalf of<br>
>> Steve Lime <<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a> <mailto:<a href="mailto:sdlime@gmail.com" target="_blank">sdlime@gmail.com</a>>><br>
>> *Date: *Friday, February 28, 2020 at 12:16 PM<br>
>> *To: *Even Rouault <<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a><br>
>> <mailto:<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>>><br>
>> *Cc: *MapServer Dev Mailing List <<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
>> <mailto:<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>>><br>
>> *Subject: *Re: [mapserver-dev] Motion: Updating the security<br>
>> reporting and workflow process____<br>
>><br>
>> __ __<br>
>><br>
>> The collaborator limit does kinda suck. We can't host private<br>
>> repos under the MapServer account. Github want projects to move<br>
>> to "teams" - $304/mo based on our current size. Gitlab would<br>
>> certainly work for a single purpose private repo. ____<br>
>><br>
>> __ __<br>
>><br>
>> On Fri, Feb 28, 2020 at 11:06 AM Even Rouault<br>
>> <<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a> <mailto:<a href="mailto:even.rouault@spatialys.com" target="_blank">even.rouault@spatialys.com</a>>><br>
>> wrote:____<br>
>><br>
>> On vendredi 28 février 2020 12:36:54 CET Jeff McKenna wrote:<br>
>> > There is now a new alias that users can send an initial<br>
>> report to, that<br>
>> > forwards to all PSC members: mapserver-security (at)<br>
>> osgeo (dot) org<br>
>> ><br>
>> > SteveL has also setup a private 'mapserver-private'<br>
>> repository on<br>
>> > Github, to handle valid security reports, privately.<br>
>> ><br>
>> > So therefore:<br>
>> ><br>
>> > Motion: update documentation<br>
>> > (<a href="https://mapserver.org/development/bugs.html" rel="noreferrer" target="_blank">https://mapserver.org/development/bugs.html</a>) to list the<br>
>> steps to<br>
>> > report a security concern, mentioning the first step of<br>
>> sending report<br>
>> > to mapserver-security (at), and second step of a PSC<br>
>> member creating a<br>
>> > ticket in the 'mapserver-private' repository.<br>
>><br>
>> As apparently there's a limit to the number of collaborators<br>
>> for a private<br>
>> github repo, perhaps GitLab could be an option ?<br>
>> Some doc at<br>
>> <a href="https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html" rel="noreferrer" target="_blank">https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html</a><br>
>> (I've not experience with that myself.)<br>
>><br>
>> Even<br>
>><br>
>> --<br>
>> Spatialys - Geospatial professional services<br>
>> <a href="http://www.spatialys.com" rel="noreferrer" target="_blank">http://www.spatialys.com</a><br>
>> _______________________________________________<br>
>> mapserver-dev mailing list<br>
>> <a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
>> <mailto:<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>><br>
>> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev____" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev____</a><br>
>><br>
>> _______________________________________________ mapserver-dev<br>
>> mailing list <a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
>> <mailto:<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a>><br>
>> <a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev____" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev____</a><br>
>><br>
_______________________________________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org" target="_blank">mapserver-dev@lists.osgeo.org</a><br>
<a href="https://lists.osgeo.org/mailman/listinfo/mapserver-dev" rel="noreferrer" target="_blank">https://lists.osgeo.org/mailman/listinfo/mapserver-dev</a></blockquote></div>