Security mailing list

[Petros]

https://www.joomla.org/announcements/release-news/5633-important-security-announcement-pre-release.html

I accidentally visited joomla.org today and saw the above important announcment. Is there any mailing list that i could subscribe in order to be informed asap for these kind of announcments?

If there is not i believe joomla should build one asap. Smf for example informs me by email about updates.

Btw i hope the servers dont crash on Thursday cause i suspect much traffic wordwide in a short period of time :) Maybe you should plan especially for this update some mirrors with the update package?

Some suggestions from me :)

Have a nice day!

[Niv Froehlich]

Hi Petros,

You raise a good point.  

The list of mailing lists is at https://www.joomla.org/mailing-lists.html, however, it's unclear from this page as to which, if any, of the lists will provide for security announcement.

The Joomla Issue Tracker is at http://issues.joomla.org/

There is a dedicated Joomla! Security Centre web page at http://developer.joomla.org/security-centre.html

However, I'm unaware of any mailing list that is specifically dedicated for Joomla! Security Announcements.

I've cc'd this thread to the Joomla! Security Strike Team - perhaps they would be kind enough to provide some insight or information on where one can get security alerts via email.

Warmest regards,

Niv

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

[Webdongle Elgnodbew]

https://www.joomla.org/rss.html shows a list of rss feeds.  If memory serves me correct ... there used to be a news feed available in Joomla's control panel.  But you can go to Extensions >>> Modules >>> set filter to 'Administrator' ... and create a a feed display module to display in Admin

[Nils Rückmann]

I'm currently not up to date, but isn't there a plugin/feature proposal to send an E-Mail if a new version arrives? Might be an idea to extend it to send urgent announcements as well.

[brian teeman]

From the forum where it is listed at the top
http://feeds.joomla.org/JoomlaSecurityNews

It's a feedburner feed so you can subscribe to it.

However sadly the announcement hasn't been added

[Michael Babker]

That plugin is installed on sites and relies on the update system to query information, it isn't subscribing users to a centrally managed distribution list.

On Sat, Oct 17, 2015 at 2:24 PM, Nils Rückmann <ni...@rueckmann.com> wrote:

I'm currently not up to date, but isn't there a plugin/feature proposal to send an E-Mail if a new version arrives? Might be an idea to extend it to send urgent announcements as well.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

To post to this group, send an email to joomla-...@googlegroups.com.

[Michael Babker]

I'm not out to make excuses, but adding that one announcement to the feed means it gets added into http://developer.joomla.org/security-centre.html which mixes it in with the general security notices that get pushed on each release.  If there were a better option, adding it to that feed wouldn't be a pain.  Personal opinion, my time's better spent working to ensure the security patches are good to go for release than trying to work logistics to get the feeds updated in a way we can push general announcements on that security feed without mixing them into the main feed where all the security notices are statically pushed.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

[Webdongle Elgnodbew]

There's a whole list of feeds that can be added to the browser or (if you use one a feed reader) https://www.joomla.org/rss.html

http://feeds.joomla.org/JoomlaAnnouncements is interesting

Important Security Announcement - Patch Available Soon
16 October 2015 22:34

A Joomla 3.4.5 release containing a security fix will be published on Thursday 22nd October at approximately 14:00 UTC

[Petros]

Am I the only site webmaster that doesn't use rss?

Anyway i believe a newsletter kind of thing for security realeases would be an extra good thing :)

[Niv Froehlich]

I would simply propose that the JSST consider the merits of having a 'security only' mailing list and if they see fit and are willing, the logistics of setting that up and maintaining it should not be too difficult.

Warmest regards,

Niv

--

You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.

To post to this group, send email to joomla-...@googlegroups.com.

[Niv Froehlich]

+1 to Petros (see above) - however with deference to the JSST as it would be up to them to maintain it.

On Sat, Oct 17, 2015 at 3:39 PM, Petros <tzi...@gmail.com> wrote:

Am I the only site webmaster that doesn't use rss?

Anyway i believe a newsletter kind of thing for security realeases would be an extra good thing :)

--

[Webdongle Elgnodbew]

@Petros

You mean like this ?
https://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews

[Niv Froehlich]

Hi Webdongle,

Please forgive my ignorance.  Is the above link the official Joomla! Project e-newsletter for security updates?

Thanks,

Niv

--

[Michael Babker]

That Feedburner link, as I hinted at above, is the feed of security postings coming from http://developer.joomla.org/security-centre.html (or http://developer.joomla.org/security-centre.feed if you subscribe directly to the Joomla category via RSS and bypass the third party source).  So no, it is not an e-newsletter, but it is the project's feed for announcements of resolved security issues (I can find no precedent of using that feed source for other types of security announcements, however if you dig back into the old 1.0 release announcements, there is precedent of using the general release announcement feed for announcements of upcoming security and maintenance releases).

[Webdongle Elgnodbew]

Hi Niv

The https://feedburner.google.com/fb/a/mailverify?uri=JoomlaSecurityNews link was passed to me from one of the Joomla forum security mods

[Petros]

Yep that's what i meant :) Sorry that i didn't understand it from Michael's hint! Lastly, as long as there is such a think why not make this link a little more emphasized in joomla.org site:)

Waiting for the update....

Thanks all for your help!

[Niv Froehlich]

Thanks Michael and Webdongle - I have to run right now (i.e. will follow up tomorrow and copy to this thread) with a note to the JSST 

1) Asking for clarification that this is in fact 'up, running and maintained.'

2) Suggesting the documentation at https://docs.joomla.org/Security_Checklist/Getting_Started gets updated with this information; and

3) Suggesting that the security email list be added to the 'list of email lists.'

My humble opinion is that we could certainly take a few quick and easy steps to make this information a lot clearer on the Joomla web site.

Best,

Niv

[Michael Babker]

1) What clarification do you need?  The Feedburner link that's been posted here a few times is indeed "up, running, and maintained" (unless it loses its connection with the developer site), I've posted two alternative links for the same source one being the direct HTML page and one being the RSS feed that Feedburner is processing.

2) As the documentation site is a wiki, feel free to update it (unless that page is protected, in which case we'll need someone with that access to make changes)

3) What security email list?  There isn't one (nor do I think we should add yet another Google Group or another email subscription list to duplicate what Feedburner already provides).  There is the RSS feed which is posted in the description of the announcements section on the forum and the same security announcements feed is the second link on https://www.joomla.org/rss.html (and Feedburner does have an email option, not restricted to RSS subscribers).  So I'm not totally sure what it is you're looking for on this point.

[Leo Lammerink]

@ Niv..... this is your email list. Click the link and enter your email and you receive an activation link and as soon as a security news item is published you get it in your email. No RSS-Reader so you have your list!

Leo

[Niv Froehlich]

Thanks Leo and Michael for clarifying.

Just to simplify, I think the confusion lies in that by email list, we are simply asking for 'a place to sign up to receive Joomla security updates via email' - whether that's a Google Group or Feedburner is '6 of one or a half-dozen of the other,' so to speak, at least so far as getting security announcements by email is concerned.

So then the next thing that is missing is simply instructions in the appropriate places on the Joomla.org web site telling people, 'To receive Joomla Security Announcements via email, subscribe here.'  On the web site, we are currently not really clear to the general public as to how they can stay up-to-date on important Joomla! security announcement, (i.e. "Stay informed...subscribe here to receive important Joomla! Security Announcements") (i.e. Michael - your point 2 above addresses this, so thank you).

Warmest regards,

Niv

[Leo Lammerink]

I think hat is a fair request and PLT or CLT might be able to address that

Leo

[brian teeman]

That link used to be on the download page.

It is still very prominent on the forum

[Petros]

Just as a reminder!

If possible make http://feeds.joomla.org/JoomlaSecurityNews

send us an email for awareness for the upcoming 3.6.4.

P.s. If the security was introduced during 3.6.3 maybe stop distribution? Only 7% has been updated to this release!

[brian teeman]

On Friday, 21 October 2016 15:21:08 UTC+1, Petros wrote:

P.s. If the security was introduced during 3.6.3 maybe stop distribution? Only 7% has been updated to this release!

" Until the release is out, please understand that we cannot provide any further information."

[Petros]

I have upgraded my stes the moment the release got out and thank joomla security team for their great work!!!

However plz send this email... 

I happened to visit joomla.org and saw it. I believe joomla sites are not only maintened by big web development firms that they visit joomla.org twice a day...

It has been already 5 hours since the release and according to Joomla's usage statistics only 2,4% have updated their site...

Hacked sites are bad for everyone especially for someone so big like joomla.

Yes we have great engineers that look to the matters asap and new features are on their way however i believe we have a matter at communicating these important announcments.

Thanks and sorry for the runt. I just believe the sooner the better for these kind of things...

[Michael Babker]

The emails are processed by Feedburner.  It is not an individual going into a mailing system to send out notifications.  So whatever the configuration is in Feedburner is when the messages get sent out.

--

You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.
Visit this group at https://groups.google.com/group/joomla-dev-cms.

[Petros]

Thanks for the explanation and the immediate response ;)

I 'm not looking to blame someone who is late etc...

I ' m just thinking ways to make joomla safer (and cause i am not a hacker i cannot review its code :P)

The problem starts with the difficulty of automatically updating security releases (i know it has been discussed and has decided to be the wrong  (wordpress) way)

So i 'll try to propose a new "feature" that seems relatively simple but may be hard due to the need of infrastructure? (i 'm not really sure:) )

It would be great if at new installs or after upgrade we have a post install message that says 

"hey, do you want to enlist to our security newsletter? it will make your site safer, cause ignorance is not always a bliss...". 

And of course joomla organisation will have to develop this newsletter... (i don 't know the cost but i think is affordable?)

Thanks for all your efforts!

[Leo Lammerink]

Any release will be emailed to the webmaster (super admins) when the respective plugin is enabled. So you get a prompto the information that a new release is available. You can subscribe to the Vel Security feed. If you want site backups and automated updates (which can be risky if the patch contains bugs) you can subscribe to myjoomla.com or watchful.ie. They will also mail you security warnings. We have therefor tons of information streams already available and we do not need more (maintenance costs and available manpower)

my 2 ct's

Leo Lammerink
www.gws-desk.com

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.

[Petros]

Leo the plugin works perfectly for a normal release. When someone visits your site it emails you. No need to hurry to update also. :) One week later or a month doesn 't matter so much. 

However it doesn't work for the pre-release announcement like the ones for 3.4.5 or the last like 3.6.4.

The two "maintenance" companies that you mention sure i imagine the do very good job but hey are not affordable by everyone...

And i think joomla is for the average Joe also that doesnt not make money or doesn't want to spend more money cause he maintains it voluntarily or for personal reasons.

Whatever the case he cannot spend money on these companies but joomla reputation will grow bad also accordingly to the hacked sites.

A newsletter for security reasons is a must and can be also used for other reasons like news - call for help - or even advertisment (don't shoot guys).

Many grand joomla companies give out newsletter with news (while try selling...). Why not use this mean for better security firstly, and if you 'd like when we have the infrastructure we can have an opt in for general news about the joomla community or the developing team!

Τη Σάββατο, 17 Οκτωβρίου 2015 - 2:18:51 μ.μ. UTC+3, ο χρήστης Petros έγραψε:

https://www.joomla.org/announcements/release-news/5633-important-security-announcement-pre-release.html

I accidentally visited joomla.org today and saw the above important announcment. Is there any mailing list that i could subscribe in order to be informed asap for these kind of announcments?

If there is not i believe joomla should build one asap. Smf for example informs me by email about updates.

Btw i hope the servers dont crash on Thursday cause i suspect much traffic wordwide in a short period of time :) Maybe you should plan especially for this update some mirrors with the update package?

Some suggestions from me :)

Have a nice day!

[brian teeman]

That is a very valid point Petros.

We do need to look at a way to inform people when there pre-announcements as you are perfectly correct in saying there is no method at the moment.

[Petros]

3.7.1 published on  Wednesday 17/5/2017!

Spread it :)