The reason I don't want them in the same category is, that:
* I see them as a totally different type of contribution. I think a
security reporter has more in common with a translator than a code
contributor
* The existing credits section is maintained by script based on git
log. The security reporters list will probably have to be hand
maintained
I think the biggest good that came out of eliminating the "developers"
vs "patch contributors" is that the definition of the two groups were
unclear (in the post-svn era. In SVN it was very clear), thus
potentially causing hurt feeling over who deserves to be in which one.
With security reporters, we don't have to worry about that.
Although its possible their could be fighting over what's a valid
security report if we don't define it carefully (An XSS is obviouly a
security report. But there's lots of borderline stuff that gets
reported. Probably the metric should be - do we take action or not
based on the report).
--
Brian
p.s. After posting my initial email, I found out there is a related
phab ticket at
https://phabricator.wikimedia.org/T118131
On Tue, May 1, 2018 at 9:28 PM, Eddie Greiner-Petter
<wikimedia.org(a)eddie-sh.de> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
A while back (cba03a5777) we gave up dividing that file into
"Developers" and "Patch contributors" - and imho that was a good
thing. The only sections in the CREDITS file by now are "Contributors"
and "Translators", where the latter just holds a link to translatewiki.
I'd (slightly) prefer to just add those who reported security issues
to the "Contributors" section (considering "reported a security
issue"
a contribution) instead of adding a new section - technically someone
reporting a security issue with a patch attached would be both a
"Vulnerability Reporter" and a "Contributor", which just seems
confusing. Besides from bikeshedding about that, I totally agree with
your proposal.
- --
Eddie
On 01.05.2018 20:34, Brian Wolff wrote:
Hi everyone,
Currently we only credit people who report security vulnerabilities
at
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks
(which basically nobody reads or knows exists) and sometimes in the
commit message and release announcements. Given such people are
instrumental in keeping MediaWiki secure, I think we should also
credit them in the CREDITS file. I propose adding another section
to the file - "Vulnerability Reporters", listing the names of
everyone who has reported a security vulnerability in either
MediaWiki or a bundled extension.
Thoughts?
-- Brian _______________________________________________ Wikitech-l
mailing list Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/zqKboUFrd4f9T4zA/bLnFtzmKEFAlro2/UACgkQA/bLnFtz
mKHlUA//SUKpGwRUtxpkxm46T8wrwnBfSamwK7hRfv4bvAyzmyAk2YAFxh3GVvji
qUuabrnARdQn4/HgfNXqe09rPUPXrESX+Blp5JCxKQuJzgrgBeqMYlnR4JbVsA0A
ITvyTlrUKAmDJd7pjCnb+MKzd9qroTLU6PWwCh0ln0ihrx9syhzZAcNW3BB+D24B
EYHx4i7VBWWFnFgzgdif7hjO4JJ6gZvGKZaUDNkZ4ZOyRdY/+OpxRx1jqhhMDauZ
dHwk17yQYkeC9+z+GBicdtwwLs9AKbq0mz7P4DkCe6fUbtsyAlAWYB8Z8qSCvfwP
p1CFo+7L5sdc3dEq8xLhHQNRBfzOg7WMDq9T1vfaR9kxHhrfA/PPu8EFcNAMiiLe
hmHxZaKGRqB48eJGZMYUv9OAxB5fA+tUp/NdMhchkOtH1Zq1mOWv2JBzcfIm1uUY
POsFL1lgghsU9GEyRMa7EPkiFIYzHYs7OuGJUybXfaL2fGxh+zaWHVWfBjmvMABL
tL7MyY8aFUegkvod1vQIocAsBVCRx5TVibLs8WAkVfnKE7wr55msgknt/JZbiqqO
poHv0Vluvd3A86L7P17zUX/p3vo50psBv/A+0yPq0xwaosrumU+yHKzBUF2hKl8r
e6RcRA0ElzAwej6VRoErB+HkJXi+EDJdQADatB84hL9sTJi3TFg=
=0KkP
-----END PGP SIGNATURE-----
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l