couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <nsla...@apache.org>
Subject Re: [DISCUSS] Apache CouchDB Developer Code of Conduct
Date Wed, 30 Apr 2014 12:56:00 GMT
Security bugs are not open to the public.

In general, the project operates openly. It is one of our core
principals as an Apache project. But there are numerous private
resources that we use for sensitive items, including but not limited
to:

- Private bugs for security issues
- Private IRC channel for sensitive topics
- Private project mailing list for sensitive topics
- Private foundation level lists for internal affairs
- Private svn repository for sensitive record keeping
- Other misc private infrastructure


On 30 April 2014 09:40, Andy Wenk <andy@nms.de> wrote:
> Hey Joan,
>
> yeah good point. In one of your first emails, you stated below your quote
> for the text (">  We will keep our entire bug report database open for
> public ...")
>
> "so we can probably make this explicit, then point to the ASF Bylaws[1]
> and ASF "How it works"[2] for the rest."
>
> Question: isn't the bug handling better placed in the bylaws? I understand
> the CoC more in regarding "personal behaviour" instead of "technical
> behaviour". Or am I on the wrong path?
>
> Cheers
>
> Andy
>
>
> On 30 April 2014 07:24, Joan Touzet <wohali@apache.org> wrote:
>
>> And the good news is that we have a mechanism for that already! :)
>>
>> http://docs.couchdb.org/en/latest/cve/index.html
>>
>> We encourage people to bring security issues to us via this framework.
>> All issues raised are addressed promptly and disclosed as soon as feasible.
>>
>> -Joan
>>
>> ----- Original Message -----
>> From: "Bruno Rohée" <bruno@rohee.org>
>> To: dev@couchdb.apache.org
>> Sent: Tuesday, April 29, 2014 7:42:29 PM
>> Subject: Re: [DISCUSS] Apache CouchDB Developer Code of Conduct
>>
>> Joan Touzet wtrote:
>>
>> >  We will keep our entire bug report database open for public  view at all
>> times. Reports that people file online will promptly become visible to
>> others.
>>
>> My two cents : there are good, practical reasons to keep some bugs
>> confidential before a fix/workaround is available. Namely security bugs.
>> It's definitely bad when bugs are kept hidden for months or even years, but
>> surely there is some middle ground to be found. This is especially
>> important as it's reasonable to have an Internet facing CouchDB, unlike
>> many other DBs...
>>
>>
>> On Mon, Apr 28, 2014 at 9:48 PM, Joan Touzet <joant@atypical.net> wrote:
>>
>> > Benoit said:
>> > > This one looks really good. What's your plan about the social contract?
>> > > Take something adapted?
>> >
>> > In the context of this CoC it only refers to:
>> >
>> >   "We will not hide problems
>> >
>> >   We will keep our entire bug report database open for public
>> >   view at all times. Reports that people file online will
>> >   promptly become visible to others."
>> >
>> > so we can probably make this explicit, then point to the ASF Bylaws[1]
>> > and ASF "How it works"[2] for the rest.
>> >
>> > -Joan
>> >
>> > [1] https://www.apache.org/foundation/bylaws.html
>> > [2] https://www.apache.org/foundation/how-it-works.html
>> >
>>
>
>
>
> --
> Andy Wenk
> Hamburg - Germany
> RockIt!
>
> http://www.couchdb-buch.de
> http://www.pg-praxisbuch.de
>
> GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
>
> https://people.apache.org/keys/committer/andywenk.asc



-- 
Noah Slater
https://twitter.com/nslater

Mime
View raw message