On Mar 30, 2012, at 11:11 AM, Bram de Kruijff wrote: > On Fri, Mar 30, 2012 at 9:51 AM, Ivo Ladage-van Doorn > <[email protected]> wrote: >> Hi All, >> >> In the JIRA’s for the subprojects Cassandra, Auth and OpenSocial issue >> security has now been enabled. This means that issues can be public and >> private. Public is the default, which means that everyone can see the issue. >> In some cases however (i.e. a discovered security leak) you want the issues >> to be private, readable only by the developers. > > We kind of noticed this change yesterday when all AMDATU issues were > gone ;) But it's fine now, so about this measure: I'm not sure exactly > why you introduced it and whether we need it at this point. Just be > aware that any security issue disclosed in a public forum like jira is > bound to end up in peoples mail boxes, mail-archive and google if not > set to private from the start anyway. So I think it's kind of a half > solution.
Process wise, I would have preferred to discuss such a change first. >> If you want issue security enabled for any other JIRA subprojects, please >> let me know. > > As I said I don't feel we need need it on AMDATU at this point, but if > people disagree and want it enabled let us know. I agree with Bram on this one, we don't need it, so please leave it disabled. Apache solves this in a different way[1]. There is a private mailing list where people can send their security issues if they don't want them disclosed. This list is archived as well, but only visible to committers. I propose that *if* we need something like this, we do it this way and simply don't put these vulnerabilities in Jira. Greetings, Marcel [1] http://apache.org/security/
_______________________________________________ Amdatu-developers mailing list [email protected] http://lists.amdatu.org/mailman/listinfo/amdatu-developers
