[TYPO3-ect] Extension Rating System and Reviews Status

[Michael Scharkow]

Hi Elmar,

Elmar Hinz wrote:
> What is so personal about security reviews that it must work behind closed
> doors? If something is done behind closed doors without a reason it makes
> me distrusting. Often it only covers that few is done in practice.

The security team works behind closed doors because we're not really 
interested in 0-day exploits. Since the security team has been in charge 
of security reviews, those discussions happened to be non-public, which 
was IMHO not our intention but evolved out of the discussion.

> That is Patricks part, who is our officail coordinator of the Ratings and
> Revisions.

Sorry, just as you might feel offended but not being consulted on these 
issues, I don't like you calling any official coordinator of ratings and 
revisions. Who has appointed Patrick?

What about Robert, myself and lots  of volunteers who have worked in 
this area for a long time. The reviewing and ratings have been public in 
svn ever since, and the ratings were even publicly beta-tested.

I very much support Patrick taking over these issues, but helping is 
about getting work done, not about official titles.

> In TYPO3 and probalbly other project the named officionals in most cases
> don't answer or they answer in an inappropriate way. Currently I neither
> reach the security team nor does anybody reach Rene Fritz for questioning
> about global categories. What is so professional about officials behind
> closed doors that don't communicate what they do and which are not
> reachable for cooperation?

I can't speak for Rene but the security team has IMHO too much 
responsibilities at the moment, and there are lots of basically 
OT-questions addressed at the team, which in turn leads to nobody 
answering any non-urgent questions.

Greetings,
Michael