metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Casey Stella <ceste...@gmail.com>
Subject Re: Apache Security Process
Date Thu, 09 Jun 2016 15:01:37 GMT
So, evidently this is something only mentors or people from the Incubator
PMC can do.
Will one of the mentors please request this for us @
https://infra.apache.org/officers/mlreq/incubator
?

Thanks,

Casey

On Thu, Jun 9, 2016 at 10:35 AM, Casey Stella <cestella@gmail.com> wrote:

> I filed a infra ticket for this:
> https://issues.apache.org/jira/browse/INFRA-12071
>
>
> On Thu, Jun 9, 2016 at 9:43 AM, Michael Miklavcic <
> michael.miklavcic@gmail.com> wrote:
>
>> Hi all,
>>
>> Motion to create a security@metron.incubator.apache.org mailing list (
>> http://apache.org/dev/committers.html#mail)
>>
>> Best,
>> Michael Miklavcic
>>
>>
>> On Thu, Jun 2, 2016 at 1:30 PM, Owen O'Malley <omalley@apache.org> wrote:
>>
>> > I'd also recommend that you create a
>> security@metron.incubator.apache.org
>> > for users to report any security issues they discover.
>> >
>> > .. Owen
>> >
>> > On Thu, Jun 2, 2016 at 10:28 AM, Casey Stella <cestella@gmail.com>
>> wrote:
>> >
>> > > Sorry, it's deleted now.  We will be more careful in the future.
>> > >
>> > > Thanks for the vigilance, Larry.
>> > >
>> > > Casey
>> > >
>> > > On Thu, Jun 2, 2016 at 1:24 PM, larry mccay <lmccay@apache.org>
>> wrote:
>> > >
>> > > > All -
>> > > >
>> > > > Please become familiar with of the Apache process for reporting,
>> > > > discussing, filing JIRAs and fixing security vulnerabilities [1].
>> > > >
>> > > > METRON-198 has exposed more than we should in a public manner and
>> the
>> > > > attached report should be removed.
>> > > >
>> > > > Details of any particular issues should only be discussed on a
>> > project's
>> > > > security or private list and it needs to also include the
>> security@a.o
>> > > > list.
>> > > >
>> > > > Fixes need to be discussed and agreed upon on the private list and
>> > JIRAs
>> > > > filed to commit the fix should be vague and as general as possible
>> - so
>> > > as
>> > > > not to disclose the details of the vulnerabilities and inform the
>> > > > development of exploits.
>> > > >
>> > > > Also, pay attention to the CVE related aspects of the process in the
>> > page
>> > > > referenced below.
>> > > >
>> > > > thanks,
>> > > >
>> > > > --larry
>> > > >
>> > > > 1. http://www.apache.org/security/committers.html
>> > > >
>> > >
>> >
>>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message