incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: [DISCUSS] cloudstack.org emails
Date Fri, 10 Aug 2012 14:31:45 GMT

On Aug 10, 2012, at 8:08 AM, Brett Porter <brett@apache.org> wrote:

> 
> On 10/08/2012, at 6:33 PM, Wido den Hollander <wido@widodh.nl> wrote:
> 
>> I can think of a legitimate reason for having webmaster@ and security@, but where
do we forward them? What do we do with them if the people who it gets forwarded to are on
vacation?
>> 
> 
> I don't know if webmaster would be useful any more (maybe just forward to the PPMC?).

Yea…. in general, if there are general content or formatting issues with the cloudstack
website, we'd prefer they send a note to the dev list or something (with a patch.  :-)  ).
  If it's more severe than that (like the site is down), there isn't anything the PMC can
do anyway and most likely infrastructure already knows about it due to the monitoring stuff
they have running.


> For security, see [1]. The ASF has a dedicated security team for facilitating correct
handling of vulnerabilities. Vulnerabilities can be sent directly to them (and they'll engage
the PPMC privately, which is what most projects do), or you can have a separate security list
(if that group of people differs from the PPMC - see [2]). If there is a separate list, security@
is automatically copied, so someone is always able to respond to a report in a timely manner.

As someone that is involved with a couple projects that have gotten several security issues
reported in the last few months (CVE level issues), I would suggest just starting with the
normal security@a.o address and let them forward to the PPMC.   One thing about the security@
addresses is that they DON'T run the spam filters on them to make sure nothing is lost.  Thus,
there is a lot of noise.    If you can let the security team filter through that and then
forward along the real issues to the PMC, that can be a big help.   If the volume gets high
or you need a specific subset of the PMC to be involved in security issues, a separate list
can be setup, but I would suggest waiting until there really is a need for that.  (unless
you really do like reading through spam…..)

Dan



>> We should make an easy entrance for reporting security issues, but having e-mail
addresses online tends to attract e-mail from people who seek support, that's what the -users
list if for.
> 
> :)
> 
> You'll see in any security report [3] that they do get support questions, but it doesn't
seem to be a high enough volume to be a problem. I believe they get politely redirected to
the right place.
> 
> Cheers,
> Brett
> 
> [1] http://www.apache.org/security/
> [2] http://www.apache.org/security/projects.html
> [3] http://apache.org/foundation/records/minutes/2012/board_minutes_2012_06_20.txt (search
for Attachment 6)
> 
> --
> Brett Porter
> brett@apache.org
> http://brettporter.wordpress.com/
> http://au.linkedin.com/in/brettporter
> http://twitter.com/brettporter
> 
> 
> 
> 
> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message