On Wed, Jul 06, 2016 at 05:16:50PM -0500, Don Armstrong wrote: > On Wed, 06 Jul 2016, Salvatore Bonaccorso wrote: > > On Tue, May 24, 2016 at 06:54:00AM +0200, Salvatore Bonaccorso wrote: > > > Hi, > > > > > > On Mon, May 23, 2016 at 10:49:54PM +0200, Moritz Mühlenhoff wrote: > > > > Hi, > > > > adding [email protected] to CC and quoting in full below to > > > > solicit further comments. > > > > > > > > I think Drake's proposal makes perfect sense, the current behaviour is > > > > mostly historic, it > > > > was around before I joined the security team ten years ago. > > > > > > > > And maybe let's add something like: > > > > "If you want to contact the security in private, please write to > > > > [email protected], > > > > if you want to discuss this on a public mailing list write to > > > > [email protected]." > > > > > > Just a "agree" from my side. It probably would make sense to not send > > > replies to [email protected] but instead have it sent to another > > > mail which autoreplies with a set of indications what can be done and > > > expand it with the above two lines. IIRC if someone tries to post to > > > d-s-a manually, it get's already such an autoreply, just needs to say > > > as well the further two contact lines. > > > > is there any furhter information needed from the security team for > > this, or any other blocker? > > The choices without significant extra engineering are to have Reply-To: > messages to go [email protected], not to set a Reply-To: > or to have Reply-To set to > [email protected] > > I'm OK with whatever y'all decide.
Let's have the Reply-To set to [email protected], then. That will provide people with all the necessary information. Cheers, Moritz
