Your Cloud, Your Data, Your Way! – ownCloud 4.0 On CentOS 6.2 + nginx + PostgreSQL

Your Cloud, Your Data, Your Way! – ownCloud 4.0 On CentOS 6.2 + nginx + PostgreSQL

This document describes how to install and setup ownCloud by “ownCloud
community” on a CentOS 6.2 based webserver from tar package on a nginx
and php-fpm with postgre…

Fedora 15 end of life on 2012-06-26

Greetings. This is a reminder email about the end of life process for Fedora 15. Fedora 15 will reach end of life on 2012-06-26, and no further updates will be pushed out after that time. Additionally, with the recent release of Fedora 17, no new packages will be added to the Fedora 15 collection. Please […]

Mint 13 Reviews Roundup

Reviews give us a lot of feedback and we pay special attention to them. They boost our motivation when talking about the good and help us pinpoint areas of improvement when talking about the bad.  They also give us an opportunity to react to some of the points they make and to start a discussion […]

SMSC May 2012: Winner derajjared

SMSC May 2012 Winners: 1: derajjared, 2:Enkort, 3: alexbaettig.
Theme: Civil engineering

Quantal is waiting for you – start hacking on Ubuntu

Regular Bug Fixing Initiatives Perhaps you, like many others, got interested in Ubuntu Development, but didn’t know what to start working on? Perfect, because we have something for you. From now on we will put together regular bug fixing initiatives, so all you need to do is head over to our bug fixing initiative page, […]

The Document Foundation announces LibreOffice 3.5.4

Up to 100% performance improvements thanks to the efforts  of a diverse and growing developer and QA community Berlin, May 30, 2012 – The Document Foundation announces LibreOffice 3.5.4, the fifth version of the free office suite’s 3.5 family. LibreOffice 3.5.4 offers significant performance improvements over the previous versions of the product, which are the […]

Magento U Summer Schedule 2012

Get trained and gear up for the second half of the year by taking advantage of the many courses offered by Magento U. Magento U helps you get the tools, expertise and best practices needed to maximize the value of your Magento deployments. Here’s the…

Magento Go: Tips & Tricks to Migrate Your Community Edition Store to Go

June 13, 2012 I 10:00AM PDT

Webinar: Migrating From Magento Community to Magento Go
If you are in the process of moving a Magento Community website to Magento Go, you’ll want to join us for our next webinar. Transitioning your store to Magento Go c…

Drupal Security Team update – June 2012

This post aims to share information about the Drupal Security Team in 2011 and midway through 2012. The team processed a significant number of security advisories, added a few members, improved the free education materials in the handbooks, presented at dozens of camps and user groups, and made several improvements to our workflow (including some user facing changes, see below).

Some quick numbers:

You may notice that for the calendar year of 2011 there were fewer SAs than there were issues created. There are lots of reasons why that happens (mostly invalid issues or issues that affect versions not supported by our policy).

Improved security issue reporting process

This change is so exciting that it deserves its own section in addition to being listed below. The “Report a Security Issue” link on project pages now links directly to the security.drupal.org issue queue for that project. Using that link instead of sending an e-mail removes one of the final “copy/paste” jobs from the security team’s workflow.

We plan to always monitor security@drupal.org for issue submissions as well because that is a standard tool and we want to keep the barrier for reporters as low as possible. In January of 2012 there were 617 non-spam emails sent to that list and thousands of total e-mails which we have to moderate manually. So please remember: using the queue directly instead of emailing keeps us focused on our most important tasks.

Improvements to the team workflow

At events through the year like Drupalcon Chicago and BADCamp, several team members worked in sprints to improve the tools on Security.Drupal.org.

The Security Team process has historically been heavily reliant on email communication between the researchers reporting issues, the team, and drupal.org module/theme maintainers (see a recent high-level infographic on the team’s process). All three groups of people in that chain are volunteers who have other demands, so the e-mail communication was a common source of slowdown in progress toward issue resolution. While we created a private issue tracker in October of 2006 we were still reliant on private emails for much of the workflow. Many of the improvements below address this set of problems.

This work resulted in a number of positive outcomes for the team workflow.

  • Added a CCK content type for the creation of Security Advisories and a tab that formats this information so it can be pasted directly into the post on drupal.org. This provides contextual help to project maintainers as they create the SA and reduces the time spent writing the HTML for the advisory.
  • Comment ACL was deployed to security.drupal.org, allowing the team to invite the issue reporter, project maintainer, and interested parties to help work toward resolution of issues in the private queue without seeing other security isuses. This fixed the number 1 slow point in our process (discussion on a mailing list and individual emails that had to be relayed back to the security issue queue).
  • We added a Content Type for creating security advisories and added a custom callback to format the results for copying/pasting into the announcements on drupal.org. This removed difficulty from the second most manual and cumbersome part of the process.
  • Created and added the Project Issue Availability module which helps us know which of our team members should be assigned to which issues AND how many issues they should be assigned to.
  • Improved the submission process so that all logged in users can now submit issues directly instead of emailing! More on this below.
  • For logged-in users, the homepage of security.drupal.org shows a “dashboard” of issues that need attention. This makes it easier for security team members who have limited time to give to the team to find what they need now.
  • When a user is granted access to a private issue on security.drupal.org the site now subscribes them to notifications for that issue and sends them an automated email with instructions on what to do next.
  • All users were subscribed to notifications for issues they had access to, reducing manual effort in mailing people.
  • Updated documentation pages including updates to the team overview page, how to report an issue and what a project maintainer needs to know to work in our process.
  • Changed our process to start getting CVE identifier values for vulnerabilities in core security releases. This is a bit of additional coordination but is hopefully useful to system administrators and security researchers.

This work required not only coding, testing, and deployment but also new documentation to help project maintainers to use it. These and other improvements to our workflow mean that we spend more of our volunteer hours working on the most valuable areas instead of manual tasks that don’t use the security team members special skills.

New members and role changes

As often happens, the team welcomed new members in the last year and a half. These new members had expressed interest in Drupal for several years and shown themselves to be good communicators who can be trusted with the confidential information that the team must handle.

  • Michael Hess (mlhess) a faculty member at the University of Michigan who asks his students to review Drupal for security issues
  • Matt Kleve (vordude), a site-builder and developer for Lullabot
  • Forest Monsen (forestmonster), web infrastructure and security specialist for National Service Resources & Training
  • Chris Hales (chales), DevOps Manager, Lead Architect at Mediacurrent

During the year I (Greg Knaddison) took over as team lead from Heine Deelstra. Heine had been team lead for 5 years prior to that and stayed on the team as a member. Mori Sugimoto, Kieran Lal, and Matt Chapman continue in their roles as team coordinators.

I would like to re-iterate what I have already said to the team in private: Thank You! The job of the team keeps growing and growing and we are both working harder and smarter to keep up. If you encounter someone who is on the team I encourage you to thank them for their work. Security is often cited as a reason not to use Open Source software, so it’s important that we continue to have such a robust team working with effective processes so the Drupal project can continue to grow.

New Membership Board Members

Last month we put out a call to the community to restaff the Ubuntu Membership Boards and announced a change from region-based applications to time-based boards, see: https://lists.ubuntu.com/archives/ubuntu-news-team/2012-April/001548.html Thanks to all the great candidates we had for the restaffing! It’s never easy to select from great lists and candidates, but we do have limited spots […]

(IN)SECURE Magazine Issue 34 released

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. Issue #34 has just been released – download the magazine! The articles in this issue include: Fitness as a model for security Security and migrating to the cloud: Is it all doom and gloom? Solid state drives: Forensic […]

High-Availability Storage With GlusterFS 3.0.x On Debian Squeeze – Automatic File Replication Across Two Storage Servers

High-Availability Storage With GlusterFS 3.0.x On Debian Squeeze –
Automatic File Replication (Mirror) Across Two Storage Servers

This tutorial shows how to set up a high-availability storage with two storage servers (Debian Squeeze) that use Gluste…

Ubuntu Weekly Newsletter Issue 267

Welcome to the Ubuntu Weekly Newsletter. This is issue #267 for the week May 21 – 27, 2012, and the full version is available here. In this issue we cover: Ubuntu Stats Pretoria Precise Pangolin Release party with steak Data mining in Launchpad How bug information types work with privacy Ready to try ARM on […]

Announcing Fedora 17. Relish it.

“At the heat of a thousand hot dog cookers, the seventeenth release of Fedora shall be forged by contributors the world over, and it will be known as: Beefy Miracle. The mustard shall indicate progress. For six months, participants in the Fedora Project shall freely contribute to the release of the distribution, in the spirit […]

The Perfect Desktop – Linux Mint 13 (Maya)

The Perfect Desktop – Linux Mint 13 (Maya)
This tutorial shows how you can set up a Linux Mint 13 (Maya)
desktop that is a full-fledged replacement for a Windows desktop, i.e.
that has all the software that people need to do the things they do on
their…

Debian Project News – May 28th, 2012

Welcome to this year’s eleventh issue of DPN, the newsletter for the Debian community. Topics covered in this issue include: * Bits from the Release Team * Removal of Qt3 from Debian * Report from Debian Utsavam * Interviews * Other news * Upcoming events * New Debian Contributors * Release-Critical bugs statistics for the […]

== PostgreSQL Weekly News – May 27 2012 ==

== PostgreSQL Weekly News – May 27 2012 == PostgreSQL Day Argentina 2012 will be held on November 13th in Bernal, Buenos Aires, at the National University of Quilmes. It will cover topics for PostgreSQL users, developers and contributors, as well as decision and policy makers. For more information about the conference, please see the […]

Gtk2Hs: Point release for many packages today!

A number of packages have undergone a point release today: cairo, glib, gstreamer, gtk2hs-buildtools, gtksourceview2, svgcairo, and webkit. The only changes are to allow these packages to build on a wider variety of GHC, gtk, and cabal-install version…

The Official FCM Map Of Awesomeness

It’s a warm and lazy Sunday afternoon here at FCM Towers*, so I thought I’d put up a post showing some of the data from our visitors map (aka: The FCM Map of Awesomeness) and Google Analytics. I mean what proper geek doesn’t like numbers and graphs? * We don’t actually have a tower, but […]

WordPress 3.4 Release Candidate

The first release candidate (RC1) for WordPress 3.4 is now available. If you haven’t tested WordPress 3.4 yet, now is the time!