On Dec 12, 2016 7:44 PM, "Daniel Ruggeri" <drugg...@primary.net> wrote:
On 12/12/2016 12:26 AM, William A Rowe Jr wrote: > In spite of 34 registered project committee members, until other > contributors come forward to participate in the security patch review > process, we may simply have to declare all further efforts are currently > on pause. Does one have to be on PMC to review security patches? If not, can you give me a general idea on volume? This would be something I think $dayjob would be OK with me doing as part of keeping a shirt on my back and roof over the childrens' heads ;-) This is something our httpd security team has revisited a few times over the past few years. To be on *httpd* security list, we require a certain level of trust. In the past, this was based on PMC membership. We have since tweaked things to bring in proven committers who are not yet on the PMC. Also, all ASF Members have access to private archived lists; this includes any PMC private lists and security lists across the foundation. In terms of volume, there are only a handful of security issues per year, from none to a dozen, but many dozens of reports we have to evaluate and filter. It often takes probing questions of the reporter to distinguish their defect report from a vulnerablity, or to quantify and qualify the exposure and risk. The ASF-wide list is another beast, it is a massive spam trap, exceeding dozens of garbage messages per day, to capture about a dozen legitimate messages a day, and only a tiny handful of new inbound messages a day that are dispatched to the appropriate PMC's team. That list does require ASF Membership to volunteer because it has full visibility into most every defect.
