Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
On 5 March 2013 08:46, Andrea Pescetti pesce...@apache.org wrote: Daniel Shahaf wrote: if somebody replies to your post and says Hey, false negative, you really want_that_ to happen privately. That was my concern too. Jan is perfectly right that he merely forwarded a public security announcements, and that there is absolutely nothing wrong in this in itself, but it's better to avoid the (admittedly remote, in this case) possibility that someone exposes a security risk while commenting. Take this as a generic practice; we had similar discussions about vulnerabilities found in libraries, for example; and the common advice is not to discuss security-related practices in public. I did not take it personally, but I do not understand how we can discuss an issue on a mailing list where most of the people needed for the discussion do not have access. Please remember my purpose, we need 2-3 volunteers to test the update. Had it been a real security update (it does contain other fixes as well), I would simply have applied it after a short discussion on IRC. But I do honestly think that escalating a non-issue like this to r...@apache.org is wrong and that was why I reacted. Instead of discussing what I should have done (and making me think why do I care, maybe we could concentrate on whether or not it should be applied, and if there are any volunteers to test it. thx in advance. Regards, Andrea. --**--**- To unsubscribe, e-mail: dev-unsubscribe@openoffice.**apache.orgdev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
janI wrote on Tue, Mar 05, 2013 at 09:08:33 +0100: On 5 March 2013 08:46, Andrea Pescetti pesce...@apache.org wrote: Daniel Shahaf wrote: if somebody replies to your post and says Hey, false negative, you really want_that_ to happen privately. That was my concern too. Jan is perfectly right that he merely forwarded a public security announcements, and that there is absolutely nothing wrong in this in itself, but it's better to avoid the (admittedly remote, in this case) possibility that someone exposes a security risk while commenting. Take this as a generic practice; we had similar discussions about vulnerabilities found in libraries, for example; and the common advice is not to discuss security-related practices in public. I did not take it personally, but I do not understand how we can discuss an issue on a mailing list where most of the people needed for the discussion do not have access. Please remember my purpose, we need 2-3 volunteers to test the update. I am expecting you to discuss security issues privately and recruit volunteers publicly. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
janI wrote: Instead of discussing what I should have done (and making me think why do I care, maybe we could concentrate on whether or not it should be applied, and if there are any volunteers to test it. OK, let's leave security out of this and consider it just an infrastructure update. Then you need a few volunteers for testing. I can be one, even though my account probably has some extra privileges; I can test normal editing and localization (interface and content translation). Then we can probably find a couple of documentation volunteers, who are the heaviest users of Mwiki in this period, and start testing. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
janI wrote: As you can read below, mediawiki has just released a security release. We are currently not hit by the issues noted in the mail. However I would like to ask the community if we should upgrade or wait for a later release ? Security issues are one of the few cases where we prefer that all conversations happen in private (infrastructure-private, that you CCed, seems right). I realize that we are not affected by the vulnerabilities, so discussing this in public wouldn't pose risks in this case, but still with all security releases the project will simply take Infra's advice. And thank you for following Mediawiki's security announcements! Regards, Andrea.
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100: janI wrote: As you can read below, mediawiki has just released a security release. We are currently not hit by the issues noted in the mail. However I would like to ask the community if we should upgrade or wait for a later release ? Security issues are one of the few cases where we prefer that all conversations happen in private (infrastructure-private, that you CCed, seems right). Security issues in services running on apache.org hardware should be reported to root@, rather than infra-private@. See http://www.apache.org/dev/infra-contact#how - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
On 5 March 2013 00:24, Daniel Shahaf danie...@apache.org wrote: Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100: janI wrote: As you can read below, mediawiki has just released a security release. We are currently not hit by the issues noted in the mail. However I would like to ask the community if we should upgrade or wait for a later release ? Security issues are one of the few cases where we prefer that all conversations happen in private (infrastructure-private, that you CCed, seems right). Security issues in services running on apache.org hardware should be reported to root@, rather than infra-private@. I dont get itI forwarded a PUBLIC email, about a security relase, NOT a security issue, just to get an opinion from the community, because if installed someone has to test it !! It is really not easy to something right. rgds jan I. See http://www.apache.org/dev/infra-contact#how - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
janI wrote on Tue, Mar 05, 2013 at 00:41:42 +0100: On 5 March 2013 00:24, Daniel Shahaf danie...@apache.org wrote: Andrea Pescetti wrote on Mon, Mar 04, 2013 at 22:05:42 +0100: janI wrote: As you can read below, mediawiki has just released a security release. We are currently not hit by the issues noted in the mail. However I would like to ask the community if we should upgrade or wait for a later release ? Security issues are one of the few cases where we prefer that all conversations happen in private (infrastructure-private, that you CCed, seems right). Security issues in services running on apache.org hardware should be reported to root@, rather than infra-private@. I dont get itI forwarded a PUBLIC email, about a security relase, NOT a security issue, just to get an opinion from the community, because if installed someone has to test it !! It is really not easy to something right. Can you please not take this personally? It was just a commit review. To the point: I agree with Andrea: it would have been good if you had been more conservative and discussed the security implications privately. That's because of the a small chance that your assessment that the announced issue does not affect ooo-wiki2-vm will turn out to be a false negative: if somebody replies to your post and says Hey, false negative, you really want _that_ to happen privately. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
Re: Fwd: [MediaWiki-announce] MediaWiki security release: 1.20.3 and 1.19.4
Daniel Shahaf wrote: if somebody replies to your post and says Hey, false negative, you really want_that_ to happen privately. That was my concern too. Jan is perfectly right that he merely forwarded a public security announcements, and that there is absolutely nothing wrong in this in itself, but it's better to avoid the (admittedly remote, in this case) possibility that someone exposes a security risk while commenting. Take this as a generic practice; we had similar discussions about vulnerabilities found in libraries, for example; and the common advice is not to discuss security-related practices in public. Regards, Andrea. - To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
