[asterisk-dev] What happened with the latest round of releases: or, "whoops"

Matthew Jordan mjordan at digium.com
Thu Jun 19 07:11:30 CDT 2014 

On Fri, Jun 13, 2014 at 2:44 AM, Corey Farrell <git at cfware.com> wrote:
>
> I was looking at reviews.reviewboard.org to see if anything was in the works to allow restricted reviews, I found https://reviews.reviewboard.org/groups/security/ - "This group is invite-only. You must be a member of this group in order to see any review requests assigned to it. You can ask the administrator or group owner for access."
>
> Could we get something similar working?  This would allow all security related bugs to follow the same process as normal bugs, just limited to those with commit access.
>
> Some form of email to an invitation only mailing list would be very useful, even if it is an uninformative notice: "Restricted review XXXX has been updated and can be viewed at https://..."  The same applies to JIRA, security bugs are not sent to asterisk-dev mailing list (this is good), but the tickets are not known unless we search for them.  An email with minimum information "JIRA ticket ASTERISK-XXXXX has been created or updated and can be viewed at https://...".


Thanks for finding that Corey. A few days ago I went ahead and set up
a new private Review Board group, "Security". After some brief testing
with Mark and George, it looks like it is indeed private and does not
generate e-mails to this list.

I provided a brief update to the Security Vulnerabilities wiki page to
note the existence of this group [1]. The proposed work flow is:

1. Vulnerability is reported to security at asterisk.org or through the
issue tracker
2. A bug marshal sends a terse e-mail to the asterisk-dev mailing list
notifying the developer community that a new vulnerability issue has
been created. The e-mail should only contain a link to the JIRA issue.
All communication occurs on the issue.
3. When a patch is ready, it is posted to review board in the Security group.
4. Normal process kicks in at this point, other than committing of
said patch once approved is coordinated with a security release.

[1] https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Vulnerabilities

If anyone who has commit access would like access to this group,
please let me know.

Thanks -

Matt

-- 
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org

More information about the asterisk-dev mailing list