Concerns about the credit in the footer of Redmine
|Resolution:||Wont fix||Affected version:||4.0.2|
Currently it says something like Powered by Redmine © 2006-2018 Jean-Philippe Lang
I think it should instead be | Powered by Redmine © 2006-2019 or Redmine 2.0.4 © 2006-2019 and then the word Redmine or Redmine Team should link to the page listing/mentioning JPL + many other contributors and maintainers who also did put a lot of their valuable time into this project ever since.
It's understandable that JPL is the owner, but it feels a little unfair. Redmine is the first OSS project I see which doesn't bother making sure it's properly crediting all the contributors/maintainers in the footer but JPL.
Not that it's anything urgent, but I just wanted to bring this up.
I mean... regarding just the version information...
Maybe it's imperative to be realists here: if somebody would need to crack Redmine or harm a company using Redmine, they d do it no matter what. It's not hard to identify the version simply off the change logs which are public.
Then we need to understand 2 things:
1. No one will ever do it, unless there is some sort of valuable benefit to extract out of this.
2. Hacking is a felony, so the risks must be well justified.
On the contrary, public version info might urge people to upgrade more often and thus patch security issues. It's also really common within Redmine's user base to still sit on an ancient version of Redmine, which IMHO is a bad habit if user to pursue the best possible security.
As of now, it also seems more like "Nope, we re not displaying a version, so we are removing all the responsibilities from us as developers regarding the security of the app, you all are now on your own."
"We re scared to display the version because our software screams VULNERABILITY!"
#5 Updated by Holger Just 12 months ago
The idea of not showing the exact version information is to not make it easier for potential attackers to identify the Redmine version and launch targeted attacks. However, we are well aware that it is possible to roughly detect the version of Redmine based on other means so this is only slightly helps for a determined attacker. But it's still a protection we want to keep as part of a layered approach to security.
In addition to that, publicly showing the exact version is imho unlikely to cause more people to upgrade when they are ignoring available updates today. Actively informing administrators of pending updates and its impact might help, but this is out of scope for this issue here.
Finally, the Redmine project and we contributors are definitely not absolving us from responsibilities by not showing the exact version publicly. All detected or reported vulnerabilities are quickly fixed and released for all supported versions of Redmine. This announced on the news section and on Security_Advisories.
As for replacing JPL's name in the footer with something like "Redmine team", I think that since he has carried the project over many years, he deserves some recognition (in addition to him carrying most of the actual copyright of Redmine). Thus I think JPL well deserves to have his name squarely rendered there in the footer.
#6 Updated by Rolf Fischer 12 months ago
thanks for the explanations. I do not want to discuss credibility or deny valuable contributions. I was not aware of these arguments and perhaps they are not fully convincing, since
there may be also internal instances of redmine, not in danger to be attacked and the version information is also available more prominently in browsers, so I thought it might be good to have it more easily accessible for the "naive" user. Again, thanks to your efforts to explain that and thanks to all contributors for their passionate and ongoing efforts.
Best regards, Rolf