On Sat, 17 Apr 2021 at 17:33, Gary Gregory <garydgreg...@gmail.com> wrote: > > I'll go with the consensus here but I feel that the security list should be > for humans and posts there deserve human attention on an ASAP basis. I've > just seen too many false positives and noise from automated tools over the > years.
Agreed. > Gary > > On Sat, Apr 17, 2021, 09:48 Stefan Bodewig <bode...@apache.org> wrote: > > > On 2021-04-13, Mark Thomas wrote: > > > > > On 13/04/2021 17:49, Stefan Bodewig wrote: > > > > > <snip/> > > > > >> Fabian has offered to set up OSS Fuzz for Compress. Given that the > > >> issues OSS Fuzz detects may or may not be security sensitive, I don't > > >> feel it would be a good idea to have the tool send reports to a public > > >> mailing list. Therefore I propose to create another subscription > > >> moderated list just for these kinds of reports. I'm afraid it could be > > >> too noisy for security@commons. > > > > > Following the "split by audience, not by topic" guideline, I'd suggest > > > using security@commons.a.o rather than a separate list. Much, much > > > bigger projects than Compress use OSS Fuzz and direct traffic to their > > > security list where it seems to be manageable. > > > > With more projects jumping it this may become more traffic. Given that > > at least one subscriber of security@ (Gary) is strongly against using > > that list, I don't want to force it on him. > > > > Stefan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
