geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Woods <>
Subject Re: [DISCUSS] Security Vulnerability Policy created
Date Mon, 19 Jan 2009 22:10:44 GMT
Sounds good to me.

Should step #8 include a post to the private@ list, so other PMC members 
will have some history behind the fixes being checked into svn in step #9?


Kevan Miller wrote:
> On Jan 19, 2009, at 9:14 AM, Donald Woods wrote:
>> There was a long discussion around mid-December on the private and 
>> security Geronimo mailing lists about how to handle security 
>> vulnerabilities.  The outcome of that discussion (which is mainly a 
>> boilerplate suggested by Mark Thomas for all projects to use) can be 
>> found on our Project Policies wiki page at -
>> If you see anything that needs changing or information that needs to 
>> be added, then please discuss on this thread.
> The only question I had concerned step 6. Should the fix be discussed on 
> security@ and/or private@? It needs to be on a "private" list, to 
> properly embargo the vulnerability until a fix is available. Since most 
> of the discussions of the issue occur on security@geronimo, I think 
> discussion of the fix is most appropriate there.
> Thoughts?
> --kevan

View raw message