river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Brouwer <mark.brou...@cheiron.org>
Subject Handling security -related issues
Date Thu, 06 Sep 2007 08:36:22 GMT
Hi Jim,

I respond separate on "Handling security -related issues" as it has not 
that much to do with the process, merely a technical remark.

Handling security -related issues
       Enable a special field in JIRA to mark an issue as a security
       issue and restrict access to the JIRA issue to the PPMC and

       Hold initial discussions on potential security issues on the
       private PPMC list.  When acknowledged that it's an valid security
       issue, create a JIRA issue with special security field marked.

       As soon as appropriate (for example, when the impact is understood
       and/or there is a resolution and fix developed), open the issue
       and discussion to the river-dev list.

When we create such a field, it will become a default field when people
enter an issue. Any person can therefore mark (upon entering the issue)
an issue as a 'security issue'. In that case *no* mail will be sent to
the river-commit mailing list, I expect though that the component owner
(which we don't have) or otherwise the project owner(s) will get a
posting (this has to be tested).

That person is responsible for bringing it in the private mailing list.
As long as an issue stays marked as 'security issue' it stays hidden for
all except the committers. The only way to get it visible is to mark it
as no longer being a 'security issue' but that doesn't seem right. Do
you envision this as a problem?

View raw message