[mapserver-dev] Motion: Updating the security reporting and workflow process
Steve Lime
sdlime at gmail.com
Fri Feb 28 13:44:17 PST 2020
+1 - that'll work.
On Fri, Feb 28, 2020 at 3:07 PM Jeff McKenna <jmckenna at gatewaygeomatics.com>
wrote:
> So an updated motion, according to the workflow put in place today :
>
> Motion: update documentation
> (https://mapserver.org/development/bugs.html) to list the steps to
> report a security concern, mentioning the first step of sending report
> to mapserver-security(at), and second step of a PSC member creating a
> ticket in the 'mapserver-private' Gitea repository, and final step of
> informing other projects of the vulnerability through security-priv.
>
> +1 jeff
>
>
>
> On 2020-02-28 2:15 p.m., Rahkonen Jukka (MML) wrote:
> > Hi,
> >
> > In Geoserver project we don't receive especially much spam to
> geoserver-security (at) lists dot osgeo dot org but I do not know if that
> OSGeo hosted list has spam filters. Jody Garnett probably knows. But
> somehow I feel that during these AI times there is already an algorithm
> somewhere that knows to connect (at) with @.
> >
> > -Jukka-
> >
> > -----Alkuperäinen viesti-----
> > Lähettäjä: mapserver-dev <mapserver-dev-bounces at lists.osgeo.org>
> Puolesta Jeff McKenna
> > Lähetetty: perjantai 28. helmikuuta 2020 19.59
> > Vastaanottaja: mapserver-dev at lists.osgeo.org
> > Aihe: Re: [mapserver-dev] Motion: Updating the security reporting and
> workflow process
> >
> > Note that we should always be careful not to send the full email alias
> in text, as spam bots will attack it when they harvest the web. Trust me,
> you'll see this soon if we post that address in email body and in html.
> "mapserver-security (at) blah (dot) com"
> >
> > -jeff
> >
> >
> >
> > On 2020-02-28 1:56 p.m., Steve Lime wrote:
> >> Actually that's probably not an issue if the issues are filed via
> >> mapserver-security at osgeo.org <mailto:mapserver-security at osgeo.org> and
> >> then we create the tickets.
> >>
> >> On Fri, Feb 28, 2020 at 11:42 AM Steve Lime <sdlime at gmail.com
> >> <mailto:sdlime at gmail.com>> wrote:
> >>
> >> Only drag with that is contributors need osgeo ids.
> >>
> >> On Fri, Feb 28, 2020 at 11:36 AM Michael Smith
> >> <michael.smith.erdc at gmail.com <mailto:michael.smith.erdc at gmail.com
> >>
> >> wrote:
> >>
> >> OSGeo has gitea in SAC. We can have a private mapserver repo
> >> there. ____
> >>
> >> __ __
> >>
> >> Mike____
> >>
> >> __ __
> >>
> >> __ __
> >>
> >> --____
> >>
> >> Michael Smith____
> >>
> >> OSGeo Foundation Treasurer____
> >>
> >> treasurer at osgeo.org <mailto:treasurer at osgeo.org>____
> >>
> >> __ __
> >>
> >> __ __
> >>
> >> *From: *mapserver-dev <mapserver-dev-bounces at lists.osgeo.org
> >> <mailto:mapserver-dev-bounces at lists.osgeo.org>> on behalf of
> >> Steve Lime <sdlime at gmail.com <mailto:sdlime at gmail.com>>
> >> *Date: *Friday, February 28, 2020 at 12:16 PM
> >> *To: *Even Rouault <even.rouault at spatialys.com
> >> <mailto:even.rouault at spatialys.com>>
> >> *Cc: *MapServer Dev Mailing List <
> mapserver-dev at lists.osgeo.org
> >> <mailto:mapserver-dev at lists.osgeo.org>>
> >> *Subject: *Re: [mapserver-dev] Motion: Updating the security
> >> reporting and workflow process____
> >>
> >> __ __
> >>
> >> The collaborator limit does kinda suck. We can't host private
> >> repos under the MapServer account. Github want projects to move
> >> to "teams" - $304/mo based on our current size. Gitlab would
> >> certainly work for a single purpose private repo. ____
> >>
> >> __ __
> >>
> >> On Fri, Feb 28, 2020 at 11:06 AM Even Rouault
> >> <even.rouault at spatialys.com <mailto:even.rouault at spatialys.com
> >>
> >> wrote:____
> >>
> >> On vendredi 28 février 2020 12:36:54 CET Jeff McKenna
> wrote:
> >> > There is now a new alias that users can send an initial
> >> report to, that
> >> > forwards to all PSC members: mapserver-security (at)
> >> osgeo (dot) org
> >> >
> >> > SteveL has also setup a private 'mapserver-private'
> >> repository on
> >> > Github, to handle valid security reports, privately.
> >> >
> >> > So therefore:
> >> >
> >> > Motion: update documentation
> >> > (https://mapserver.org/development/bugs.html) to list
> the
> >> steps to
> >> > report a security concern, mentioning the first step of
> >> sending report
> >> > to mapserver-security (at), and second step of a PSC
> >> member creating a
> >> > ticket in the 'mapserver-private' repository.
> >>
> >> As apparently there's a limit to the number of
> collaborators
> >> for a private
> >> github repo, perhaps GitLab could be an option ?
> >> Some doc at
> >>
> https://docs.gitlab.com/ee/user/project/issues/confidential_issues.html
> >> (I've not experience with that myself.)
> >>
> >> Even
> >>
> >> --
> >> Spatialys - Geospatial professional services
> >> http://www.spatialys.com
> >> _______________________________________________
> >> mapserver-dev mailing list
> >> mapserver-dev at lists.osgeo.org
> >> <mailto:mapserver-dev at lists.osgeo.org>
> >> https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
> >>
> >> _______________________________________________ mapserver-dev
> >> mailing list mapserver-dev at lists.osgeo.org
> >> <mailto:mapserver-dev at lists.osgeo.org>
> >> https://lists.osgeo.org/mailman/listinfo/mapserver-dev____
> >>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapserver-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20200228/7b16dfcf/attachment.html>
More information about the mapserver-dev
mailing list