river-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Hurley <Jim.Hur...@Sun.COM>
Subject Re: Handling security -related issues
Date Thu, 06 Sep 2007 17:06:08 GMT
"How do I handle security -related issues on River?"
Sounds like process to me...

Mark:  I was keying off your ideas on this from the email
thread, as well as your dialog with Jools and others.

I see the conflict if the field is named a certain way (e.g.,
"Security Issue",  but maybe that could be accommodated
by changing the field name to "Security Issue Under Committer  
or some such -- indicating that the issue is sensitive at this
stage (when marked) and needs to be private among the
Committers.  Thus, when unchecked, it's still a security issue,
just not under Committer private discussion.

Happy to go with an alternative suggestion here if anyone
has one.

thanks -Jim

On Sep 6, 2007, at 4:36 AM, Mark Brouwer wrote:
> Hi Jim,
> I respond separate on "Handling security -related issues" as it has  
> not that much to do with the process, merely a technical remark.
> Handling security -related issues
>       Enable a special field in JIRA to mark an issue as a security
>       issue and restrict access to the JIRA issue to the PPMC and
>       committers.
>       Hold initial discussions on potential security issues on the
>       private PPMC list.  When acknowledged that it's an valid  
> security
>       issue, create a JIRA issue with special security field marked.
>       As soon as appropriate (for example, when the impact is  
> understood
>       and/or there is a resolution and fix developed), open the issue
>       and discussion to the river-dev list.
> When we create such a field, it will become a default field when  
> people
> enter an issue. Any person can therefore mark (upon entering the  
> issue)
> an issue as a 'security issue'. In that case *no* mail will be sent to
> the river-commit mailing list, I expect though that the component  
> owner
> (which we don't have) or otherwise the project owner(s) will get a
> posting (this has to be tested).
> That person is responsible for bringing it in the private mailing  
> list.
> As long as an issue stays marked as 'security issue' it stays  
> hidden for
> all except the committers. The only way to get it visible is to  
> mark it
> as no longer being a 'security issue' but that doesn't seem right. Do
> you envision this as a problem?
> -- 
> Mark

View raw message