Return-Path: Delivered-To: apmail-lucene-java-dev-archive@www.apache.org Received: (qmail 48907 invoked from network); 19 Dec 2006 20:03:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 19 Dec 2006 20:03:35 -0000 Received: (qmail 62973 invoked by uid 500); 19 Dec 2006 20:03:40 -0000 Delivered-To: apmail-lucene-java-dev-archive@lucene.apache.org Received: (qmail 62759 invoked by uid 500); 19 Dec 2006 20:03:39 -0000 Mailing-List: contact java-dev-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@lucene.apache.org Delivered-To: mailing list java-dev@lucene.apache.org Received: (qmail 62748 invoked by uid 99); 19 Dec 2006 20:03:39 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Dec 2006 12:03:39 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [169.229.70.167] (HELO rescomp.berkeley.edu) (169.229.70.167) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Dec 2006 12:03:29 -0800 Received: by rescomp.berkeley.edu (Postfix, from userid 1007) id 6A1875B786; Tue, 19 Dec 2006 12:03:09 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by rescomp.berkeley.edu (Postfix) with ESMTP id 651D47F403 for ; Tue, 19 Dec 2006 12:03:09 -0800 (PST) Date: Tue, 19 Dec 2006 12:03:09 -0800 (PST) From: Chris Hostetter To: java-dev@lucene.apache.org Subject: Re: access policy for Java Open Review Project In-Reply-To: <231EE688-0077-4D9E-8D40-CE6E373536DE@apache.org> Message-ID: References: <231EE688-0077-4D9E-8D40-CE6E373536DE@apache.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Checked: Checked by ClamAV on apache.org : application vulnerable or is really just a "ruckus" issue? Part of : me thinks that b/c the code is freely available, people could find : the security issues anyway, so we aren't really protecting ourselves : anyway by denying access. Personally I agree ... if the source is free, all exposing vulnerabilities to the public can do is give more people the power to submit patches. Anyone truely nefarious can run FindBugs (or purchase copies of the Fortify commercial analysis applications) on the source code directly and get the same information. Then again: my involvement with "high profile" open source projects is relatively short lived ... there may very well be a lot of 'old timers' with horror stories of past experiences that demonstrate why some aspects of Open Source projects need to be less open then others to protect the user base. -Hoss --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscribe@lucene.apache.org For additional commands, e-mail: java-dev-help@lucene.apache.org