tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chuck Murcko <>
Subject Re: [VOTE] tomcat-commiters list
Date Mon, 14 Oct 2002 21:41:17 GMT

On Monday, October 14, 2002, at 01:40 PM, Costin Manolache wrote:

> Chuck Murcko wrote:
>> There's currently a call for project committers to be on the
>> list. This list intends to be the clearinghouse for
>> all ASF project related security issues, not just httpd.
>> Costin, Craig, et al.: the deal seems to be that each major project
>> version have someone who's a committer subscribed as a project liason.
>> So it might make sense if you both signed up, or if other committers
>> wanted to step forward...I would leave that to you all to figure out.
>> Not to short-circuit a Tomcat committers list, because there may well 
>> be
>> issues other than security to deal with, and it would make sense to 
>> have
>> information flow between security@ and a proposed tomcat-committers@
>> anyway (I'm thinking the detailed hashing of fixes would happen on the
>> latter list).
> Regarding - I think that all who play the role of
> release manager should be on the list ( i.e. Remy, Larry, Mladen, 
> Henri).
> It seems to be open for a limited number of 'liasons' ( I hope it
> is more than one, as we have several major components ).
> My preference is that any tomcat commiter who is interested to be able
> to get this info and discuss ( and hopefully fix ) tomcat security
> issues. I hope that whoever gets the security messages will fix them or
> forward them to tomcat-commiters - but that's of course his choice.
> If the apache list is open to any commiter - I'll certainly subscribe
> ( and I hope most active tomcat commiters will do the same ! ),
> but that doesn't remove the need for a private list for tomcat
> commiters.

Yes, the security list is open to all committers, and it is not a 1:1 
mapping of projects to committers/subscribers. Definitely all the RMs 
should be on it, as well as interested committers from each 
project/major component. I should have said "at least one" somewhere 
before, especially if a fix needs to get rolled out quickly and 

As for other issues needing a private and local (to Tomcat) list, I must 
leave that to you all to decide. After thinking about it a bit more MHO 
is that a separate committers list really sounds equivalent to having 
committer participation on the PMC list for jakarta, if that is possible.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message