- Mentioned In
- T133735: Formalize procedures for doing security releases of MediaWiki extensions
- Mentioned Here
- T67778: When special pages are included, OutputPage::$mPreventClickjacking is not respected
T108360: Create "security pre-announce" group in Phab (to easier allow 3rd parties who get pre-release notifications to access Security tasks)
I like the idea in principle...
But this ^
Which is why I worry about the next person who asks, and the person after that. While we can ask people to sign the NDA, we can't possibly audit the people who have access to a server it gets deployed on, how secure that server is, etc.
Each person and server who gains early access to a patch increases the chance that it'll leak prior to release.
Which is why I worry about the next person who asks, and the person after that.
I think this got shelved from our director's meeting due to more pressing matters and never ended up back on the agenda. Given that I'm the sole director now, I'd sign this if this access is something that's still possible (although I'm guessing the NDA may have been updated since June 2015?)
Hi, just trying to get this ticket revived/resolved in some way because it's pending for so long.
Since it was created there is an entirely new security team. So first let me add them to this to get it on the radar again.
Also, let me add Rachel from legal who deals with NDAs usually. (Yes, you are most likely right that it changed since 2015 and also a new system is in use to sign them as opposed to the legalpad in Phabricator).
Then there is the question what it means technically. Are we talking about visibility of tickets in Phabricator and/or receiving email about upcoming security releases?
@lcawte I realize this issue has a long history. I'm sorry this has been such a back and forth without outcome. Over the the last year the security team has been through some changes and their are a couple of us trying to revisit where inherited tasks stand.
tldr; We want to be a useful and effective partner here, and need to define how to grant and remove this access to do it. We have a small working group to meet and define. After which you'll be the first use case. Please ping me directly if this continues to drag on, or if you have questions about status. The next couple weeks are messy because of holidays in the US but I swear this is inflight
This likely needs a re-triage then as I'm sure it's fallen off our radar at this point. While it would be nice to have some official process in place, if the user this task concerns (@lcawte) has been inactive and/or no longer requires such access, we should probably resolve this task.
Update: @JBennett and I have been actively discussing this. There are several moving parts and likely some legal issues to be worked out and probably some additional gating/auditing procedures to design, but we're hopeful (without making any promises at this point) that we are getting closer to actual policy and procedures.
Update: The Security-Team would like to specify a pilot program next quarter (Q3 FY21) for early security release access, limited to a small number of trusted developers and maintainers of certain MediaWiki installations. @Reedy and myself will begin work on a charter with further details and with the intention to launch said program soon thereafter.