The security-questions and security-team channels are not used in the way their titles and topics indicate they will be used.
Some people get notifications about security-questions, but those folks should probably set alerts to happen on security-team. The team should ideally make announcements in security-team. Discussion about releases and questions or notifying the team of problems with releases should also occur in security-team.
There is some agreement in the team on this proposal. (xjm, cilefen, mlhess provided feedback/review).
Below are some updated topics. We'll wait a bit for feedback on this proposal and then the security working group will decide how to move forward.
#security-questions
Security general conversation. Please don't discuss private issues by module name. Ask for help and a team member will followup. Please thread your discussions.
#security-team
Ask questions to the security team, however, remember not to discuss any issues or specific vulnerabilities. List of Team members: https://security.drupal.org/team-members
#security-team
Topic: Announcements, discussion of Security Advisories, and request to speak with team members. Monitored by: https://security.drupal.org/team-members Do not discuss private issues or vulnerabilities. General discussion: #security-discussion.
#security-discussion
Topic: Discussion of security questions in Drupal, sharing best practices. This channel is not actively monitored by the Security Team. Remember not to discuss private issues or vulnerabilities.
Comments
Comment #2
dwwSeems reasonable and clear. No objections from me, FWIW.
Comment #3
feyp commented+1 on the proposal from me as well. When I first joined Slack the proposal was my intuitive understanding of how it might work and I was a little bit confused when I learned that it was basically the other way around. I was also surprised when official communication by the team referencing Slack mentioned the #security-team channel only, while all the action (like announcements of number of planned releases) was happening in the #security-questions channel.
I corrected a small typo in the new #security-questions topic. acitvely => actively. I'd suggest to add a sentence with a reference to the #security-team channel at the end to point people in the right direction.
For the transition process, I think it would be a good idea to setup a reminder in #security-questions for a few weeks to let people know each week at the start of the window that announcements will now happen in #security-team.
Comment #4
gregglesThanks for that feedback!
And thanks for the typo fix!
One note related to the topics: slack topic maximum length is 250 characters, so we're a little constrained.
Comment #5
mttsmmrssprks commented+1 agreed, this sounds like a useful reorganisation of the channels.
Comment #6
nicrodgersSounds sensible. It's good to have an official 'security team' channel, and a separate general security questions channel, and it makes sense that the official announcements should come from the official security team channel. Thanks for proposing this, it'll be a good improvement.
Comment #7
nickdickinsonwildeSeems good to me +1
Comment #8
dwwMaybe slightly premature, but so far it’s been 💯 support of the proposal. Moving this along to RTBC.
Thanks, -Derek
Comment #9
gregglesThanks, for the additional feedback. I agree at this point we can consider it ready to go pending enough time for folks who might currently be away-from-keyboard to come back and share their perspective. Feedback from the security team was requested in slack and in email. I think we could move forward with this on July 13th. That's the first time it might make a difference.
Comment #10
yesct commentedThe proposed topics make sense to me. Thanks for sorting this out.
Comment #12
gregglesThanks, everyone. I think this is now done.