Sandbox

Great to see a forum that addresses just security announcements. Also good to see  there's an RSS feed for this:

http://forum.joomla.org/index.php?type= ... ;board=372

Though it looks like the element in the feed is a little too vague.

http://forum.joomla.org/index.php

Which can/will confuse feed readers (Bloglines is giving me ALL joomla forum posts -- not just security announcements).

Anyone know who's in charge of that feed?

Thanks,

Dave

Thanks for your inquiry.

For me that link correctly shows only the intended forum. Perhaps you could try a few of these:

If your feed reader does not like RSS 0.93, you can also use RDF (type set to rdf), Atom 0.3 (type set to atom), RSS 2.0 (rss2), and a proprietary format with more information (by not setting it at all.)

Thanks. Didn't mean to imply that the feed was invalid. In terms of XML/RSS, it's fine.

I just couldn't figure out why Bloglines was choking on it (even if I change the feed type to Atom etc.), ESPECIALLY since Bloglines reads other, similar feeds for other Joomla boards perfectly, e.g.:

http://forum.joomla.org/index.php?type= ... ml;board=8

So I tried to view a bunch of Joomla feeds in IE and Opera (browsers on which I have no user names/passwords saved). It would appear that the Security announcements board AND feed require a user name and password to view (unlike other Joomla boards). Is that true? If so, any reason why it's set up that way?

Thanks,

Dave

Ahh yes, correct.. Just a small way of protecting important vulnerability announcements from being monitored by non members, individuals who may use the information of unhelpful purposes.

Very, very good. 

With all due respect, it seems like a zero-sum strategy. Fewer (novice) crackers will know about the vulnerabilities -- but more Joomla developers (especially the novices, who are the most important ones to reach with these announcements) will be left in the dark. 

What? How will the Joomla! developers be left in the dark? (Honest question!)

All I'm asserting is: the more you try to hide vulnerabilities from crackers, the more they will also be hidden from Joomla developers.

Scanning the Joomla security boards, there already seems to be a decent amount of ignorance and mis-information about Joomla security, especially among novices. (This will happen with any community project, needless to say.)

But why not grab the bull by the horns, be totally upfront about security issues, and teach people how to 1) teach themselves about security 2) easily stay informed and 3) spread the word about Joomla security? ("We have a new security announcements board -- one single location to get all the latest Joomla security info. Here's the URL you can bookmark. (No need to log in.) Here's the RSS feed. Here's how you plug the feed into a feed reader. Here's how you get the page to show up on your Joomla admin panel. Here's how you post that feed on your blog, so other developers can learn about these issues. You can also find this info on the Joomla home page, etc.")

The info is already out there. And any person motivated enough to be cracking sites will certainly be motivated  enough to track this info down. (Step one: bookmark this page http://forum.joomla.org/index.php/topic,101240.0.html)

But the easier you make it for harried and/or novice developers to stay on top of security issues, the greater the number of secure Joomla sites out there.

Step two: http://forum.joomla.org/index.php/topic,102558.0.html

Does it really matter if this forum is public or not? Honestly. Joomla is a pretty secure piece of software which has been thoroughly tested.

Links to security posts ARE included in your Joomla 1.0.12 panel, take a look for yourself.

Thanks for the tip re: 1.0.12

As for your question:

brad wrote:Does it really matter if this forum is public or not?

I'm a little confused. You seem to have already answered that, yes, in fact it does matter (albeit, in "a small way"):

brad wrote:Just a small way of protecting important vulnerability announcements from being monitored by non members, individuals who may use the information of unhelpful purposes.

But, if you're arguing, in your latest post, that it doesn't in fact matter, then we are in agreement. And you might as well make it public. Yes?

[me=brad]is not arguing[/me]

I'm just pointing out, that this is not a big deal to get heated up over. We will review the current setting and decide which way to go however.

I like this method because it might give the community an inside edge on crackers. A project as enormous as Joomla! has no privacy when it comes to security cracks. These are listed on Secunia and other security awareness sites nearly immediately - sometimes that could be the source of finding out a problem.

I just do not see anything wrong with the Joomla! community having a resource that we can subscribe to in order to receive this information where we must logon. The only people I see who could possibly be disenfranchised would be those who were banned from the forums. Otherwise, I cannot see how any developer would have better access with a public RSS feed than signing up for email? In fact, push rather than pull technology should provide earlier notice. 

Give it some thought. Maybe I am just missing a big point, I don't know, but I think it's good to be able to reach out to those who *want* to protect themselves with information about vulnerabilities. It'll be five minutes after that first email blast before Secunia publishes, but five minutes is better than nothing!

I saw Brad as disagreeing, not arguing.

You know, there is a lot of need for further education on security, like you mention. But, there has been a ton of great information created and shared since v 1.0.10. I have learned much myself. It'd be good to have you help out with questions in the security forums and think about things we might be missing and perhaps contribute material, too. We need more experts participating and it would be very much appreciated.

Thanks, Brad! And apologies. I certainly didn't mean to sound heated. I suppose I'm passionate about this -- only b/c I've had a Joomla site compromised and would dearly love an easy way to stay on top of this stuff. 

And by "arguing" I simply meant "presenting a case for."

Question: will this new forum address component security issues or just ones concerning the core?

Thanks again,

--Dave

It is designed for Core Joomla issues, however we have the option of using it for 3rd party extensions is the team feels we need to

Thanks, Amy.

A good number of people out there -- including myself -- keep a much closer eye on their feed readers than their inboxes. Yes, we sacrifice the lightning-quick immediacy of email, but we get our info almost as quickly -- and in a much more organized fashion. (I have all my Joomla feeds, for example, in a single folder.)

Moreover, this is not an either/or situation. There of course could be a (public) RSS feed and an automated email.

So chalk me up as someone who hasn't been banned from the forums and, yet, is still (in your words, though I feel the term is way too strong) "disenfranchised."

gosox2006 wrote:So chalk me up as someone who hasn't been banned from the forums and, yet, is still (in your words, though I feel the term is way too strong) "disenfranchised."

Sorry to take this off topic, but why would you be banned for this question, and where/when was this word "disenfranchised." used? Did I miss something?

Just a note: We sorted this out via PM