Security Group Proposal, Draft 7

[Mitchell Stoltz]

In addition to the changes Frank requested, I've rewritten the section
about a 'known vulnerabilities' page on mozilla.org to clarify what it's
about, and I changed the section about mailing lists. As I discussed
with staff, we should have separate lists for discussion and outside bug
reports.

Please give me your comments on these changes. Bear in mind they were
made by me alone and are just a proposal - they are open to debate.
Also, please outline what issues still need to be discussed. Mozilla
staff (and I) would like to finalize this policy by this Friday, 10/12.

This draft includes a link to a Known Vulnerabilities page. Is it in a
good location? I plan to link to it from projects/security/index.html
and projects/security/components/index.html.

Do you like the names of the mailing lists,
security-...@mozilla.org and security-b...@mozilla.org?
Should we use shorter names? I wanted to make it very clear what each
one is for.

-Mitch

[Gervase Markham]

> This draft includes a link to a Known Vulnerabilities page. Is it in a
> good location?

No :-) If, as we hope to, we move to a different website model, we would
want to try and avoid changing this URL, just for the sake of
simplicity. This becomes far less likely if you go for:
http://www.mozilla.org/projects/security/known-vulnerabilities

as the URL. In the current website, this would be implemented as
http://www.mozilla.org/projects/security/known-vulnerabilities/index.html

Gerv

[Daniel Veditz]

Mitchell Stoltz wrote:

>
> Do you like the names of the mailing lists,
> security-...@mozilla.org and security-b...@mozilla.org?
> Should we use shorter names? I wanted to make it very clear what each
> one is for.

The discussion group doesn't need to be as clear, the people who need to
know about it will know it and less typing is better. I'd nominate

securi...@mozilla.org //external alias
secur...@mozilla.org // discussion

-Dan Veditz

[Brendan Eich]

Dan Veditz wrote:

I must now channel jwz's ghost and object to lack of hyphens and
cybercrud "grp" in the last. If short wins, why not
secu...@mozilla.org? Otherwise, -group it.

/be

[Mike Shaver]

Brendan Eich wrote:

> I must now channel jwz's ghost and object to lack of hyphens and
> cybercrud "grp" in the last. If short wins, why not
> secu...@mozilla.org? Otherwise, -group it.

secu...@company.com is the traditional notification address, I think.

Mike

[Mitchell Stoltz]

Please keep in mind that we are creating TWO mailing lists, one to
receive security bug reports from outside and one for internal discussion.

It sounds like people are saying they want secu...@mozilla.org to be
the address where people not on the security group can send security bug
reports. Yes, this is one of the traditional addresses to use for this
purpose, as several people have pointed out. However, no one has
directly responded to my question: I think "security" is ambiguous, and
doesn't precisely describe the purpose of the address, which means it
may attract more off-topic posts. People may think it's for discussion
of cryptography engineering or physical building security or the
security of Mozilla servers, none of which is the case. More off-topic,
irrelevant posts to this address means more work for the maintainers.

My question is, is this a valid concern? If most of you think we should
use "secu...@mozilla.org," then I'm fine with that, but I'd like to
hear opinions about this point.

The second mailing list is for discussion among security group members.
Having a very specific name is not so impotant in this case, and short
is good, but if we're going to use secu...@mozilla.org for the bug
reports address, we'll have to pick another for the group discussion
address.
-Mitch

[Mike Shaver]

Mitchell Stoltz wrote:

> My question is, is this a valid concern? If most of you think we should
> use "secu...@mozilla.org," then I'm fine with that, but I'd like to
> hear opinions about this point.

I don't think it's an issue, and if "security group proposal" is
specific enough to have not attracted any questions about our crypto
stuff, I think we'll be fine. (I don't know of any other organizations
that suffer unduly under the weight of misdirected stuff to security@,
other that spam that doesn't care about security of _any_ sort. But my
sample size so far is pretty small.)

> The second mailing list is for discussion among security group members.
> Having a very specific name is not so impotant in this case, and short
> is good, but if we're going to use secu...@mozilla.org for the bug
> reports address, we'll have to pick another for the group discussion
> address.

securit...@mozilla.org for the Mozilla security group, I say.

Mike

[Frank Hecker]

Mitchell Stoltz wrote:

> It sounds like people are saying they want secu...@mozilla.org to be
> the address where people not on the security group can send security bug
> reports. Yes, this is one of the traditional addresses to use for this
> purpose, as several people have pointed out. However, no one has
> directly responded to my question: I think "security" is ambiguous, and
> doesn't precisely describe the purpose of the address, which means it
> may attract more off-topic posts. People may think it's for discussion
> of cryptography engineering or physical building security or the
> security of Mozilla servers, none of which is the case. More off-topic,
> irrelevant posts to this address means more work for the maintainers.

I think tradition trumps logic here: You're right, if we were starting
from a clean slate, and we were the first project to do this sort of
thing, then we might not necessarily want to use "secu...@mozilla.org"
as the well-known bug reporting address. However it's already in wide
use for this purpose, and because it's the shortest possible name with
"security" in it it's probably the first thing bug reporters are likely
to guess if they don't go to the trouble of looking up the address.

You're also correct in that this address might receive some off-topic
messages (not to mention spam). I don't think there's any way around
this., other than to just reply to off-topic message with a canned reply
pointing people to the right forums.

So IMO we should choose "secu...@mozilla.org" for the bug reporting
address, and then some other name (I don't really care what) for the
security bug group mailing list.

Frank

--
Frank Hecker
hec...@mozilla.org

[Ben Bucksch]

Mitchell Stoltz wrote:

> I think "security" is ambiguous, and doesn't precisely describe the
> purpose of the address, which means it may attract more off-topic
> posts. People may think it's for discussion of cryptography
> engineering or physical building security or the security of Mozilla
> servers, none of which is the case. More off-topic, irrelevant posts
> to this address means more work for the maintainers.

That's right. There will most likely lots of ofoftopic mail to this
address. But I think that the advantage of possibly getting more /
earlier reports because of being able to reach easily is more important
than the convience of the maintainers.
Note that the "right" way to file the bug reports is bugzilla anyway.
This only purpose of this alias is to be reachable easily.

[Mitchell Stoltz]

Sounds like we've got consensus on the mailing list names, then. The
address for submitting bug reports will be secu...@mozilla.org, and the
security bug group private mailing list will be
securit...@mozilla.org. If I don't hear any objections, I will
modify the policy accordingly.

Where should the two pages (the policy and the Known Vulnerabilities
page) live on Mozilla? I leave that to staff to decide.

Are there any other issues that need to be worked out? Please bring them
up before Friday.
-Mitch