I'm particularly happy to announce that today we are launching a new initiative in the community around Liferay security. From the new Community Security Team (CST) pages: "The Liferay Community Security Team is an all-volunteer group of community members who manage security issues related to Liferay CE. When security-related issues arise in the open source Liferay project, the CST works to minimize the impact and provide notification and relief to the community. In addition, the CST provides ongoing education to developers and users to keep their Liferay sites secure."
This team provides a much needed and long overdue element in the Liferay open source community, helping to quickly fix security issues and provide patches for existing community users. As Liferay (and many other open source projects) continues to grow in usage and popularity, so too does the importance and potential impact of security issues, and it's vital that we respond quickly with a well understood and predictable response. In addition to reacting (through advisories, patches, etc), this team is also chartered with being proactive in the community, educating developers, administrators, and end users about security best practices and specific techniques that can be used with Liferay.
The CST pages contain a wealth of information including:
- How you can get involved in the team
- How the team operates
- How to subscribe to receive new security advisories
- How to respond to such advisories
- How to report new issues
- How to install patches
- and much more
As an important part of and corporate sponsor of open source, Liferay is also issuing a corporate security statement, outlining its commitment to security, and policies around reporting to the wider community.
The initial CST comprises of individuals from the wider Liferay community, as well as employees of Liferay, Inc. All community members are welcome to participate! Because membership gives access to information about potentially sensitive security issues, membership is somewhat limited to those in the Liferay community with a proven track record in the areas related to security or with special skills needed by the team. The best way to get involved is to review security fixes with a security mindset, get down and dirty and find and/or fix a few issues, and interact with the team in its course of duties.
The team is currently busy catching up with a number of security issues that were reported in the Liferay Portal 6.1 CE GA1 release. Several fixes are currently available through the CST, and a couple more are expected in the next week (be sure to subscribe to the Security Advisory Forum or the feed (click on the RSS/Atom icon on the Known Vulnerabilities page)
As with any new venture, there are still a few unfinished items and there are bound to be hiccups or things we can improve on, so please be patient and constructive with any feedback you wish to give.
The team is still in the process of ironing out its processes, and some work remains for GA1 (as stated above). We are also expecting a GA2 release of Liferay Portal 6.1 soon, and at that point the team will shift to managing that release's security. Once the processes have been battle-tested, the team will begin to execute on other areas of its charter (e.g. education and outreach). The team will also begin to integrate its output within other areas of the community (e.g. pointers to latest patches on the main CE download page, or perhaps notifications during initial install that there are new fixes available). The team will also provide translations for the CST page content and advisories in the following weeks.
There are a lot of community members that care about security, I am hopeful that together we can ensure continued confidence in the security of Liferay!