-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Christopher Faylor wrote: > I hate to suggest another mailing list but I wonder if we should have > another unarchived, closed list for discussing security issues. The > recent setup.exe problem got me thinking that we might need something > like this. > > I'm not suggesting that this email was inappropriate since these are all > known issues but maybe another mailing list might help focus on > important security issues. > > Or should we just use this list and not worry about it?
The major problem that we have with security is that we don't have a person/team which has advance notice of security issues like the Linux distros have, and I have no idea how to go about changing that. Right now I have to wait for the issues to be public in order to know about them. If we can set up a "security team" from the core group of maintainers and start getting advance notices, then we definitely will need a way of communicating in private. I would agree to such a list for the "security team" only, but I would suggest it be used in tandem with "closed" Bugzilla entries. This would allow including a maintainer on a per-issue basis, and once the issue is public, the bug could then be opened. Yaakov -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkio4XoACgkQpiWmPGlmQSMw2gCfTphwMrLIN46o5aw/LLzosmvs oZ8An32yfI0TzcfNolwkw69qf749Iu5k =3J3u -----END PGP SIGNATURE-----