geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacek Laskowski" <ja...@laskowski.net.pl>
Subject Re: [DISCUSS] Handling of Security Exposures in Geronimo
Date Fri, 08 Aug 2008 21:32:13 GMT
+1

Jacek

On Wed, Jul 23, 2008 at 7:13 PM, Kevan Miller <kevan.miller@gmail.com> wrote:
> All,
> There was a recent report by Fortify on Open Source Security --
> http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
> The report says there were some number of potential vulnerabilities
> identified in Geronimo. No details of the vulnerabilities have been reported
> to us (although the tests seem to have been run some time ago...). Once we
> understand what the potential vulnerabilities are, we can start to assess...
>
> The report does identify concerns that we could be doing a better job of
> reporting security vulnerabilities and letting users know how they can
> report security vulnerabilities to our project. I agree with this.
>
> As noted here -- http://www.apache.org/foundation/contact.html -- any ASF
> security concerns can be safely relayed with an email to
> security@apache.org.
>
> It probably makes sense for us to create a security@geronimo.apache.org
> mailing list. Project-specific security mailing lists are automatically
> relayed to the security@apache.org mailing list. A project-specific list
> will reduce spam and allow us to focus on Geronimo issues, rather than
> Apache-wide issues.
>
> I also think that we should create a security page on our web site (e.g.
> geronimo.apache.org/security). This page could be used to describe how any
> potential vulnerabilities should be reported. It should also be used to
> report vulnerabilities as they are fixed. This allows users to easily
> identify what security exposures a particular version of Geronimo might
> have.
>
> Thoughts on the mailing list and web site? Assuming we're in general
> agreement, I'd like to see us working on these in the near future.
>
> Finally, I've learned that there are a few potential sources for running
> static code analysis scans against our codebase:
>
>   https://opensource.fortify.com/teamserver/welcome.fhtml
>   http://scan.coverity.com/
>
> I think we should take a look at these and decide if it's something we want
> to take advantage of. Thoughts?
>
> --kevan
>



-- 
Jacek Laskowski
Notatnik Projektanta Java EE - http://www.JacekLaskowski.pl

Mime
View raw message