tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "IAS" <tom...@iasandcb.pe.kr>
Subject RE: Vote results + Security Audit redirection
Date Thu, 17 Oct 2002 05:16:54 GMT
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Costin Manolache
> Sent: Wednesday, October 16, 2002 7:46 AM
> To: tomcat-dev@jakarta.apache.org
> Subject: Vote results + Security Audit redirection
> 
> It seems the vote on a tomcat-commiter list got a majority -
> unless all inactive commiters start voting -1.
> 
> Craig/Sam - please create the list or let me know who
> can do it. The intention is to have all active commiters
> in asap.
> 
> As soon as we get the list, I think we should move the
> [Security Audit] and the other thread to it.

Being sorry to interrupt you and not even a committer, I don't fully
understand what [Cc] threads mean and do negatively. (Would someone mind
explaining more or less about that?) 

> 
> We can forward the mails to the public list - but
> I would like to have the fixes in CVS and the potential
> releases before the information gets public.
> 
> I'm all for full disclosure and public exploits - but
> at least if we find the bugs, we should fix them before
> making it public.
> 

I got a little bit curious about why finding bugs relevant to security
and fixing them should be not open. I don't doubt that there are both
merit and demerit of discussing those critical issues with full
disclosure. Absolutely there may be some peril that some (bad) people
can misuse the opened information purely exposed to help tomcat
community to collaborate against security problems. Regardless of such
understanding, I feel sorry about loss of the potential that more
openness can give more people chances to figure out the shared troubles
and remind them of importance of security at an early stage.

There was also some comment about "other special issues", which has not
been clear to me yet. What are criteria of distinguishing
committer-closed special issues and developer-open common issues? (I'm
able to infer security must be one of the criteria, though.) I think
some agreement among tomcat dev mailing list should be made before an
issue is into tomcat committer-only mailing list. 

Basically, I hope every discussion among Apache Jakarta Project
developers would be as open and transparent as possible.

> 
> 
> --
> Costin
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-
> help@jakarta.apache.org>
> 

IAS

Independent Java Technology Evangelist
http://www.iasandcb.pe.kr

Jakarta Seoul Project Coordinator
http://jakarta.apache-korea.org



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message