Chris, Andrea,
Good suggestion. If I could go one further, I'd suggest an explicit bold
statement in the user/dev list sections saying not to post security
stuff there. I.e.:
<h3>User List</h3>
This list is for end users blah blah blah *<b>Do/<i>Not</i> /report
security vulnerabilities here. See the Security blah blah section</b>*
(and the same again in the Developer Lists box)
The problem with having a specific highlighted box is that some people
(and I include myself in this) simply don't "see" them.
Cheers,
Jonathan
On 2018-06-07 15:18, Chris Snider wrote:
Andrea,
It took me a second to find the security block. I completely
overlooked the blue field.
Maybe add a new header under the “User List”
<h3>User List</h3>
This list is for end users blah blah blah
<h3>Reporting Security Vulnerabilities</h3>
If you encounter a security vulnerability blah blah blah
<h3>Posting Guidelines</h3>
Please read through etc. etc. etc.
Thought I’d say blah again didn’t you
<h3>Developer Lists</h3>
The rest of the page, and so on
This might draw attention?
Chris Snider
Senior Software Engineer
cid:image001.png@01D2E6A5.9104F820
*From:* Andrea Aime [mailto:andrea.a...@geo-solutions.it]
*Sent:* Thursday, June 07, 2018 12:23 AM
*To:* Dave Wichers <dave.wich...@ey.com>
*Cc:* geoserver-users@lists.sourceforge.net
*Subject:* Re: [Geoserver-users] Known vulnerability in
commons-fileupload v1.2.1, used by geoserver
The comm page, where I believe you found info on registering for the
user list,
has a clear warning not to post security vulnerabilities:
http://geoserver.org/comm/
"If you encounter a security vulnerability in GeoServer please take
care to report the issue in a responsible fashion. Do not use the
mailing list, go intead to the Jira bug tracker instead and follow the
"Responsible disclosure" instructions there."
How do we make it more plain and evident so that grave mistakes do not
occur anymore in the future?
Maybe we should switch the background color of that box to red...
Regards
Andrea
<removed>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
