We're adopting CVSS (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator),
which allows us to classify the impact of security issues
based on industry standard metrics.
While there is still a lot of room for interpretation,
it is more objective than our previous system of "critical/high/medium/low",
with one sentence descriptions on how we interpret that "severity rating".
This effectively changes our process to only apply
security fixes to release lines in "limited support" (currently 3.6 and 3.7)
if they're considered "critical" (CVSS > 9.0).
We've already limited preannounces to CVSS >7.0 in these docs.
Moved the guts to "making a core release", since it's only really relevant to that audience.
There's more work to do around making security and non-security releases the same (less special handling),
but I think this is a good start.
[ci-skip]
- Stronger wording around "use composer"
- Consistent domain and email address naming
- Removed example for publishing non-composer modules (those shouldn't be encouraged)
- Removed instructions for installing modules from archives
[ci skip]
We have too many docs to list these out now,
even in 3.x this was a bit of a stopgap solution.
Point to a centrally managed URL on silverstripe.org
instead, where we can update the list of "core modules" regularly
without breaking URLs in the docs etc
Note that these URLs are also used internally by the
Open Sourcerers team.
JIRA isn't fully under the OSS team's control,
and played up in the past (Dan couldn't move issues).
Since Github has project boards now, and we're paying
for private repos on github.com/silverstripe-security already anyway,
there's no reason to introduce another tool (JIRA) into our workflows.
No need to move existing issues, the JIRA board hasn't been used in a while.
Which leads to unclear ownership and status of security issues,
and is exactly the reason for this change ;)