Requesting a "Security" Category

The same way we have a QA, would it be possible to get a Security category please?

Ping @tfoote, @dirk-thomas, @wjwwood, @nuclearsandwich and other folks managing discourse.

6 Likes

+1 - it’d be great to get this going before ROSCon, so that we can reference it in our workshop!

3 Likes

I agree that this would be useful.

In general it’s an important topic. However, I’d like to understand what the scope of the category would be and who would be on it and what would happen here versus on any other category.

Can you please propose a blurb to propose for the category’s About page? So that everyone can make sure that we’re on the same page and then once we have the scope and some people saying that they’re interested in participating it we can then generate the category.

I’m suggesting that we follow the same approximate guidelines for creating a new category that we’ve developed for local user groups where we define the category and then demonstrate interest before creating it. In particular why would this be more valuable than the existing wg-security tag?

IMHO, a Security category will very much help us organize and sub-classify topics within security. There’re tons of items here that fall into different sub-categories. E.g. threat modeling, SROS2, security workshops, etc. We should be able to classify this either by having each one of these relevant topics with their own sub-category (similar to Local User groups) or using tags. Not very sure if tags would be very comfortable though.

All right, here’s my attempt:

Security - a place for the community to discuss any security-related topic that concerns ROS and ROS 2. Refer to http://design.ros2.org/ for some security-related intuition and what the community is currently working on.

I like thew idea and the description.

Cheers,
-Joe

I don’t have particularly strong opinions regarding categories versus tags since one can subscribe to either, but I’d say that the wg-security tag isn’t enough as it’s specific to ROS 2, and security is not. To that end:

If we do end up going with a category, I disagree with linking to the ROS 2 design here. We simply need a way to discuss security-related topics that concern both ROS 1 and 2. We do, however, already have a security tag.

That’s a valid point, I was too centered in ROS 2. ROS(1)-related topics are of relevance as well for this category.

This is why we need to have a clear definition of what the category is to discuss and validate. It’s important that we have a description of what the category is that everyone agrees and understands.

When we create a new category we’re segmenting the audience. Every user will have to stop and think where should I post a new topic, in category X or category Y. And they need to be able to decide based on the categories description.

Likewise when a new category is created users need to choose whether to subscribe to it or not. There are many types of “security” channels, some are forums for vulnerability notification, some are discussion areas for best practices and when well deployed those are mutually exclusive due to the different audiences. The users will need to know what value they will get out of subscribing to the category.

So to that end the category description should allow people to answer two questions. I have something to post is this the right place? And secondly is this category worth my time to subscribe to, what can I expect to get out of it?

2 Likes

Good insight @tfoote. Security is interesting in that it’s a topic that is typically referring to something else. Security in ROS 1. Security in ROS 2. Security in MoveIt!. Security in Ubuntu. To that end, I’m now leaning toward saying that a “security” tag in combination with the relevant category (“General” for ROS 1, “Next gen ROS” for ROS 2, etc.) makes the most sense. The one case that doesn’t seem to cover is when the topic in question is more general, or relates to multiple projects. Do we just leave it uncategorized at that point? In Discourse that seems like a recipe for being undiscovered, but perhaps I’m wrong. Maybe that’s a reason to have a “ROS 1” category so that “general” can be a bit more… general.

This is a step back. I disagree. You’re relying on users tagging (with the security tag) things appropriately and that may or may not happen. Then, who’s going to track things and re-tag them? That’s a very time consuming effort. Having them categorized from the very beginning would be a much greater way to start.

@tfoote, I take from your comment above that we need to be more specific than “Security - a place for the community to discuss any security-related topic that concerns ROS and ROS 2”. The upcoming ROSCon i a great spot where to discuss this I guess.

That’s exactly the case for using General. Anything general like announcements and news should go to General. Both ROS 1 and ROS 2 release announcements go there and it’s what we recommend all users subscribe to.

The NextGen ROS category has been used as a category to segment off the ROS 2 development communication from the main announcements feed in General so that users can monitor the General channel and only those interested in more detailed communication about the development of ROS 2 will choose to subscribe to the ng-ros channel. It would probably be reasonable to propose to rename ng-ros to be something more like core development down the line.

Yeah definitely it would be good to learn about what people want to hear about there.