> -----Original Message----- > From: news [mailto:[EMAIL PROTECTED]] On Behalf Of Costin Manolache > Sent: Wednesday, October 16, 2002 7:46 AM > To: [EMAIL PROTECTED] > Subject: Vote results + Security Audit redirection > > It seems the vote on a tomcat-commiter list got a majority - > unless all inactive commiters start voting -1. > > Craig/Sam - please create the list or let me know who > can do it. The intention is to have all active commiters > in asap. > > As soon as we get the list, I think we should move the > [Security Audit] and the other thread to it.
Being sorry to interrupt you and not even a committer, I don't fully understand what [Cc] threads mean and do negatively. (Would someone mind explaining more or less about that?) > > We can forward the mails to the public list - but > I would like to have the fixes in CVS and the potential > releases before the information gets public. > > I'm all for full disclosure and public exploits - but > at least if we find the bugs, we should fix them before > making it public. > I got a little bit curious about why finding bugs relevant to security and fixing them should be not open. I don't doubt that there are both merit and demerit of discussing those critical issues with full disclosure. Absolutely there may be some peril that some (bad) people can misuse the opened information purely exposed to help tomcat community to collaborate against security problems. Regardless of such understanding, I feel sorry about loss of the potential that more openness can give more people chances to figure out the shared troubles and remind them of importance of security at an early stage. There was also some comment about "other special issues", which has not been clear to me yet. What are criteria of distinguishing committer-closed special issues and developer-open common issues? (I'm able to infer security must be one of the criteria, though.) I think some agreement among tomcat dev mailing list should be made before an issue is into tomcat committer-only mailing list. Basically, I hope every discussion among Apache Jakarta Project developers would be as open and transparent as possible. > > > -- > Costin > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-dev- > [EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:tomcat-dev- > [EMAIL PROTECTED]> > IAS Independent Java Technology Evangelist http://www.iasandcb.pe.kr Jakarta Seoul Project Coordinator http://jakarta.apache-korea.org -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>