commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: Security mailing list
Date Fri, 15 Dec 2017 16:12:07 GMT
There certainly are several ASF projects that have dedicated security@
mailing lists (e.g., Tomcat has one). Would bug reporters still just email
security@apache.org and then security@ would forward to the appropriate
commons list?

On 15 December 2017 at 08:03, Gilles <gilles@harfang.homelinux.org> wrote:

> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>
>> Hi,
>>
>> over the last months we have definitely seen our share of security
>> related issues. However, I also noticed that we had a tendency to
>> loose these threads in the overall noise, resulting in mails like "Did
>> anyone reply to the reporter?"
>>
>> No, according to Linus Torvalds, that is perfectly fine, because a
>> security issue is "just another bug". However, I am not Linus, and
>> would like to see these things in a better state.
>>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like security@commons.apache.org,
>>
>
> +1
>
> Gilles
>
> preferrably with subscription limited to private@ members, and
>> security@apache.org subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>>
>> At the very least, this would allow us to create a filter for security
>> related messages, thereby concentrate our attention.
>>
>> Jochen
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message