apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pramod Immaneni (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (APEXCORE-318) Document security vulnerability process
Date Thu, 28 Jan 2016 21:37:39 GMT

    [ https://issues.apache.org/jira/browse/APEXCORE-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15122346#comment-15122346
] 

Pramod Immaneni commented on APEXCORE-318:
------------------------------------------

Chris if we follow a similar model like hadoop of using a separate email list is it ok to
ask infra for an email list like security@apex.apache.org (without using incubator) or should
we wait till the last possible moment before becoming top level to request this. 

Secondly since the nature of the groups like these would be to not announce issues to the
public until the vulnerabilities are fixed, is it right to assume that the membership to this
group is selective and may not be every committer. Also how do groups like these track issues
before the vulnerabilities are fixed, can JIRA still be used without making the information
public for these till the fix.

> Document security vulnerability process
> ---------------------------------------
>
>                 Key: APEXCORE-318
>                 URL: https://issues.apache.org/jira/browse/APEXCORE-318
>             Project: Apache Apex Core
>          Issue Type: Task
>            Reporter: Chris Nauroth
>            Assignee: Pramod Immaneni
>              Labels: tlp
>
> QU30
> The project provides a well-documented channel to report security issues,
> along with a documented way of responding to them.
> I couldn't find a security vulnerability process documented at
> apex.incubator.apache.org.  Example:
> http://hadoop.apache.org/mailing_lists.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message