What criteria should we use to evaluate new members?
In priority order:
- Reliable not to reveal our secrets to the world before their time nor behave inappropriately in interactions with maintainers and issue reporters
- Show they have free time and willingness to spend that time working toward team goals
- Show knowledge/skills that will help us with our work either of technical security issues OR our process or ideally both
Places to grant access
- Mailman: Greg, killes, Kieran, Heine or Mori can do this. Add them to both security@ and security-tracker@
- Drupal.org roles: grant the "security team" role which will let them publish advisories on drupal.org
- Access on security.drupal.org: Have them visit the site to get a local account, then edit it and grant "Security team" role which will list them on https://security.drupal.org/team-members. Heine, Greg Knaddison, Joshua, and Scor can do this.
- IRC access: greggles or chx can do that (see Using the IRC Channel).
- E-mail duty rotation: add them on the handling-list-emails page. Anyone can do that.
Initial Concepts for new members#
- Designate your availability
- We tend to have discussions in #drupal-security particularly on a “release day” (Wednesdays). Please join this as you can.
- We have discussions on the email@example.com mailing list. New issues may be reported there or via the issue queue, so pay attention to both of the mailing lists you were subscribed to. You can also choose not to be subscribed to all emails from s.d.o and instead subscribe to queues/issues individually.
- Q: I have found a security hole, should I report it to firstname.lastname@example.org or create an issue directly? A: Create an issue directly on security.drupal.org; it mails the team as well. Similarly, mailing the entire team asking for a review is duplicate and shouldn't be done.
- Q: How do I join #drupal-security? A: See using the security team IRC channel for proper IRC commands.
- Q: Somebody sent an issue/question to email@example.com. Who is supposed to answer? A: Whoever is scheduled according to our schedule, though if you have particular experience/expertise you could respond "list only".