[mapserver-dev] Motion: Updating the security reporting and workflow process

Steve Lime sdlime at gmail.com
Fri Feb 28 09:56:09 PST 2020


Actually that's probably not an issue if the issues are filed via
mapserver-security at osgeo.org and then we create the tickets.

On Fri, Feb 28, 2020 at 11:42 AM Steve Lime <sdlime at gmail.com> wrote:

> Only drag with that is contributors need osgeo ids.
>
> On Fri, Feb 28, 2020 at 11:36 AM Michael Smith <
> michael.smith.erdc at gmail.com> wrote:
>
>> OSGeo has gitea in SAC. We can have a private mapserver repo there.
>>
>>
>>
>> Mike
>>
>>
>>
>>
>>
>> --
>>
>> Michael Smith
>>
>> OSGeo Foundation Treasurer
>>
>> treasurer at osgeo.org
>>
>>
>>
>>
>>
>> *From: *mapserver-dev <mapserver-dev-bounces at lists.osgeo.org> on behalf
>> of Steve Lime <sdlime at gmail.com>
>> *Date: *Friday, February 28, 2020 at 12:16 PM
>> *To: *Even Rouault <even.rouault at spatialys.com>
>> *Cc: *MapServer Dev Mailing List <mapserver-dev at lists.osgeo.org>
>> *Subject: *Re: [mapserver-dev] Motion: Updating the security reporting
>> and workflow process
>>
>>
>>
>> The collaborator limit does kinda suck. We can't host private repos under
>> the MapServer account. Github want projects to move to "teams" - $304/mo
>> based on our current size. Gitlab would certainly work for a single purpose
>> private repo.
>>
>>
>>
>> On Fri, Feb 28, 2020 at 11:06 AM Even Rouault <even.rouault at spatialys.com>
>> wrote:
>>
>> On vendredi 28 février 2020 12:36:54 CET Jeff McKenna wrote:
>> > There is now a new alias that users can send an initial report to, that
>> > forwards to all PSC members: mapserver-security (at) osgeo (dot) org
>> >
>> > SteveL has also setup a private 'mapserver-private' repository on
>> > Github, to handle valid security reports, privately.
>> >
>> > So therefore:
>> >
>> > Motion: update documentation
>> > (https://mapserver.org/development/bugs.html) to list the steps to
>> > report a security concern, mentioning the first step of sending report
>> > to mapserver-security (at), and second step of a PSC member creating a
>> > ticket in the 'mapserver-private' repository.
>>
>> As apparently there's a limit to the number of collaborators for a
>> private
>> github repo, perhaps GitLab could be an option ?
>> Some doc at
>> https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html
>> (I've not experience with that myself.)
>>
>> Even
>>
>> --
>> Spatialys - Geospatial professional services
>> http://www.spatialys.com
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
>> _______________________________________________ mapserver-dev mailing
>> list mapserver-dev at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20200228/41f9d5c7/attachment.html>


More information about the mapserver-dev mailing list