private channel for security? · zulip

Stream: zulip

Topic: private channel for security?

Oliver Bertuch (Mar 09 2023 at 11:26):

Maybe we should also change permissions to create private streams to admins and mods.

Oliver Bertuch (Mar 09 2023 at 11:27):

It might be a good idea to rename a few things

Oliver Bertuch (Mar 09 2023 at 11:28):

E.g. rename "general" to "community" so people expect more chatiness in that channel

Oliver Bertuch (Mar 09 2023 at 11:28):

It might also be useful to have an "announcement" stream that people are auto-subscribed to

Oliver Bertuch (Mar 09 2023 at 11:31):

Did you read the article @Don Sizemore sent WRT to the slow death of Google Groups? I've seen Zulip allows for an inbound mail message stream. Dunno if that might be worth a try to migrate a few things to Zulip in one go. We could for example make the low frequency groups like dataverse-dev etc a Zulip stream. And maybe create one for security. Dunno...

Philip Durbin 🚀 (Mar 09 2023 at 11:46):

By "closed" you mean "private". I think "core team" is the only one.

Oliver Bertuch (Mar 09 2023 at 11:47):

So far it's the only one, yes

Oliver Bertuch (Mar 09 2023 at 11:47):

It might be interesting to have a security channel which is private with history blank for new people joining

Oliver Bertuch (Mar 09 2023 at 11:48):

We could tell people to reach out to us on the community channel if they find a security thing and talk with them in such a channel

Philip Durbin 🚀 (Mar 09 2023 at 11:49):

Maybe, but our current practices around security chatter are probably ok. New topic, please, and probably not right now. :happy:

Oliver Bertuch (Mar 09 2023 at 11:50):

Changed the topic so we can pick it up again later

Philip Durbin 🚀 (Mar 09 2023 at 12:53):

That's fine but it's a big lift. You'd need to convince lots of people to join Zulip first.

Philip Durbin 🚀 (Mar 10 2023 at 13:22):

People are starting to join! :tada:

Philip Durbin 🚀 (Mar 28 2023 at 12:02):

Is the following possible with Zulip? Or just a dream? "It might be interesting to have a security channel which is private with history blank for new people joining"

Oliver Bertuch (Mar 28 2023 at 12:07):

image.png

Philip Durbin 🚀 (Mar 28 2023 at 12:28):

Huh. Interesting. Thanks.

Philip Durbin 🚀 (Mar 28 2023 at 12:31):

Here's the current topic in the new security channel:

"A placeholder security stream to redirect to proper channels: security@dataverse.org and/or https://github.com/IQSS/dataverse-security — Please don't post sensitive information here."

Philip Durbin 🚀 (Mar 28 2023 at 12:32):

Is a read-only stream possible? If so, maybe the #security stream could have a single topic/message saying:

"To report security issues, please email or security@dataverse.org create an issue at https://github.com/IQSS/dataverse-security"

Philip Durbin 🚀 (Mar 28 2023 at 12:38):

As a reminder, in 5.13 we wrote up our current practices at https://guides.dataverse.org/en/5.13/developers/security.html

We can certainly change things and edit that page! :happy:

Don Sizemore (Mar 28 2023 at 13:24):

I just wanted to get ahead of someone jumping in and posting something sensitive. Read-only sounds great. It could be a private stream if we want to assume the risk that Zulip content will never be leaked?