tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <ch...@topsail.org>
Subject Re: [VOTE] tomcat-commiters list
Date Mon, 14 Oct 2002 20:25:35 GMT
There's currently a call for project committers to be on the 
security@apache.org list. This list intends to be the clearinghouse for 
all ASF project related security issues, not just httpd.

Costin, Craig, et al.: the deal seems to be that each major project 
version have someone who's a committer subscribed as a project liason. 
So it might make sense if you both signed up, or if other committers 
wanted to step forward...I would leave that to you all to figure out.

Not to short-circuit a Tomcat committers list, because there may well be 
issues other than security to deal with, and it would make sense to have 
information flow between security@ and a proposed tomcat-committers@ 
anyway (I'm thinking the detailed hashing of fixes would happen on the 
latter list).

Just my $0.02.

Chuck

On Monday, October 14, 2002, at 12:14 PM, Costin Manolache wrote:

> Bill Barker wrote:
>
>>> I would like to propose a new mailing list.
>>>
>>> The list will be closed to commiters only. The main purpose
>>> will be discussions of security and other special issues.
>>> This should avoid [Cc] threads.
>>>
>>> The main target should be active commiters - so it should
>>> start empty.
>>>
>>> This is a majority vote.
>>>
>>> [ ] I agree with the proposal
>>> [X] I don't agree with the proposal
>>
>> Security holes don't occur often enough to bother with maintaining the
>> "active committers" list, and there isn't much point in the list
>> otherwise. Plus, segregating the security concerns simply would make 
>> the
>> mbox archives a must-bookmark for every black-hat. :)
>
> Aparently they do occur more often than we would like. And I've been
> in at least 4 Cc: chains in the last 2 months. Whoever is in the
> the apache security list or PMC should forward tomcat security
> problems to a known address where it can be addressed.
>
> It is not only for security - but any issue that we might consider
> 'private' ( again, it is better than using the Cc: ).
>
>
> --
> Costin
>
>
>
> --
> To unsubscribe, e-mail:   <mailto:tomcat-dev-
> unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-dev-
> help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message