Hi everyone,
Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension.
Thoughts?
-- Brian
Good ideas, side note: I'm fairly certain the Credits special page just pulls from CREDITS file.
Thanks, Zppix Volunteer Developer for WMF Volunteer Support for Mozilla www.enwp.org/User:Zppix
On Tue, May 1, 2018 at 3:34 PM, Brian Wolff bwolff@wikimedia.org wrote:
Hi everyone,
Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension.
Thoughts?
-- Brian _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A while back (cba03a5777) we gave up dividing that file into "Developers" and "Patch contributors" - and imho that was a good thing. The only sections in the CREDITS file by now are "Contributors" and "Translators", where the latter just holds a link to translatewiki.
I'd (slightly) prefer to just add those who reported security issues to the "Contributors" section (considering "reported a security issue" a contribution) instead of adding a new section - technically someone reporting a security issue with a patch attached would be both a "Vulnerability Reporter" and a "Contributor", which just seems confusing. Besides from bikeshedding about that, I totally agree with your proposal.
- -- Eddie
On 01.05.2018 20:34, Brian Wolff wrote:
Hi everyone,
Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension.
Thoughts?
-- Brian _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
The reason I don't want them in the same category is, that: * I see them as a totally different type of contribution. I think a security reporter has more in common with a translator than a code contributor * The existing credits section is maintained by script based on git log. The security reporters list will probably have to be hand maintained
I think the biggest good that came out of eliminating the "developers" vs "patch contributors" is that the definition of the two groups were unclear (in the post-svn era. In SVN it was very clear), thus potentially causing hurt feeling over who deserves to be in which one. With security reporters, we don't have to worry about that.
Although its possible their could be fighting over what's a valid security report if we don't define it carefully (An XSS is obviouly a security report. But there's lots of borderline stuff that gets reported. Probably the metric should be - do we take action or not based on the report).
-- Brian
p.s. After posting my initial email, I found out there is a related phab ticket at https://phabricator.wikimedia.org/T118131
On Tue, May 1, 2018 at 9:28 PM, Eddie Greiner-Petter wikimedia.org@eddie-sh.de wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
A while back (cba03a5777) we gave up dividing that file into "Developers" and "Patch contributors" - and imho that was a good thing. The only sections in the CREDITS file by now are "Contributors" and "Translators", where the latter just holds a link to translatewiki.
I'd (slightly) prefer to just add those who reported security issues to the "Contributors" section (considering "reported a security issue" a contribution) instead of adding a new section - technically someone reporting a security issue with a patch attached would be both a "Vulnerability Reporter" and a "Contributor", which just seems confusing. Besides from bikeshedding about that, I totally agree with your proposal.
Eddie
On 01.05.2018 20:34, Brian Wolff wrote:
Hi everyone,
Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension.
Thoughts?
-- Brian _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg= =0KkP -----END PGP SIGNATURE-----
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org