commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Security mailing list
Date Sun, 17 Dec 2017 15:38:56 GMT
On 17 December 2017 at 15:07, Gary Gregory <garydgregory@gmail.com> wrote:
> I there a requirement to double post to s@a.o? If not switching from s@a.o
> to s@c.a.o seems ok.

Huh?
Not sure where the double post ref comes from.

All security issues must be copied to s@a.o.
This is done automatically if users post to s@c.a.o.

If they only post to s@a.o, then they will forward to s@c.a.o

> Gary
>
> On Dec 17, 2017 03:31, "Jochen Wiedmann" <jochen.wiedmann@gmail.com> wrote:
>
>> I think, that the topic would deserve a few more replies.
>>
>> Jochen
>>
>>
>> On Fri, Dec 15, 2017 at 6:07 PM, sebb <sebbaz@gmail.com> wrote:
>> > On 15 December 2017 at 16:12, Matt Sicker <boards@gmail.com> wrote:
>> >> There certainly are several ASF projects that have dedicated security@
>> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
>> email
>> >> security@apache.org and then security@ would forward to the appropriate
>> >> commons list?
>> >
>> > Either.
>> >
>> > If they mail security@a.o then they will forward to security@commons
>> >
>> > If they mail security@commons, then security@a.o is automatically
>> copied.
>> >
>> >> On 15 December 2017 at 08:03, Gilles <gilles@harfang.homelinux.org>
>> wrote:
>> >>
>> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>> >>>
>> >>>> Hi,
>> >>>>
>> >>>> over the last months we have definitely seen our share of security
>> >>>> related issues. However, I also noticed that we had a tendency to
>> >>>> loose these threads in the overall noise, resulting in mails like
"Did
>> >>>> anyone reply to the reporter?"
>> >>>>
>> >>>> No, according to Linus Torvalds, that is perfectly fine, because
a
>> >>>> security issue is "just another bug". However, I am not Linus, and
>> >>>> would like to see these things in a better state.
>> >>>>
>> >>>> As a consequence, I'd like to question how others are handling this.
>> >>>> Could we have a mailing list, like security@commons.apache.org,
>> >>>>
>> >>>
>> >>> +1
>> >>>
>> >>> Gilles
>> >>>
>> >>> preferrably with subscription limited to private@ members, and
>> >>>> security@apache.org subscribed automatically. (In theory, we could
>> >>>> subscribe selected committers, too.)
>> >>>>
>> >>>> At the very least, this would allow us to create a filter for security
>> >>>> related messages, thereby concentrate our attention.
>> >>>>
>> >>>> Jochen
>> >>>>
>> >>>
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> >>> For additional commands, e-mail: dev-help@commons.apache.org
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matt Sicker <boards@gmail.com>
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> > For additional commands, e-mail: dev-help@commons.apache.org
>> >
>>
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
>> evolution-of-the-wheel-300x85.jpg
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
>> For additional commands, e-mail: dev-help@commons.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message