openwhisk-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carlos Santana <csantan...@gmail.com>
Subject Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Date Thu, 21 Mar 2019 12:58:22 GMT
Yep that’s why I said let’s use the already 2 mailing lists security@apache.org and private@openwhisk.org

Let’s not create a 3rd

- Carlos Santana
@csantanapr

> On Mar 21, 2019, at 8:54 AM, Matt Sicker <boards@gmail.com> wrote:
> 
> Security mailing lists should also be private and only accessible to PMC
> members (and ASF members).
> 
>> On Thu, Mar 21, 2019 at 04:03, Carlos Santana <csantana23@gmail.com> wrote:
>> 
>> That’s fine to have a page and security mailing list.
>> 
>> Who is from the PPMC is going to monitor the security@ mailing list?
>> 
>> I’m already subscribe to private@
>> 
>> I would not want sensitive topics and reports to be discuss in this
>> security ML is people anyone is allowed to be subscribe.
>> 
>> The ASF process still need to be followed anyway and any reports we would
>> need to loop in security@apache.org anyway
>> 
>> I bet people would email by mistake security@openwhisk.apache.org with
>> sensitive data when they should have use security@apache.org and also bet
>> we will be explaining multiple time when to use each ML list.
>> 
>> I we have such ML list I certainly will not be using it or subscribing and
>> expect any serious reports and findings to find their way to private@
>> 
>> Is their are users that security questions on how to do something or
>> someone sharing best practice for security they can certainly use the dev@
>> list we have today
>> 
>> +1 to have a security page
>> -1 to have yet another ML list security@openwhisk.apache.org
>> 
>> - Carlos Santana
>> @csantanapr
>> 
>>> On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <bdelacretaz@apache.org>
>> wrote:
>>> 
>>> Hi,
>>> 
>>>> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <csantana23@gmail.com>
>> wrote:
>>>> For security reports, ASF already have a process let's not improvise..
>>> 
>>> Agreed but it's fine for projects to have their own security page, as
>>> long as the ASF process is followed.
>>> 
>>>> ... Reported should send email to security@apache.org ...
>>> 
>>> It's also ok for projects to have their own security@ list, see
>>> https://sling.apache.org/project-information/security.html for an
>>> example.
>>> 
>>> -Bertrand
>> 
> -- 
> Matt Sicker <boards@gmail.com>

Mime
View raw message