I like the idea of a video call. Gary
On Thu, Oct 10, 2024 at 8:07 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > Hi Mark, > > On Thu, 10 Oct 2024 at 11:00, Mark J. Cox <m...@apache.org> wrote: > > Hi Chris! As Arnout wrote, we set up the public security-discuss list > and wiki to be such a working group to capture and share some best > practices among our projects. It was the follow-up from some of the good > ideas captured after the White House meetings following on from log4shell. > Then, anything that we want to make a requirement, rather than a > recommended practice, would feed back into the security committee to add > into our existing policies. I believe that's the right place for the things > you're suggesting. > > > > The list hasn't had a lot of traction, and many of the ideas and > thoughts on the wiki didn't get followed up on as it didn't get a lot of > interest (mostly lacking volunteers wanting to spend the time on it). So > it would be great to get some more feedback, input, and leadership from you > there. > > As you remarked the list doesn't have a lot of traction and I didn't > see any of the subjects that were discussed there being pursued > further. > > Last week, together with some members of the Logging PMC and Security > Team, I had a video meeting with two security experts regarding the > quality of our SBOMs (not very high) and how to improve it and then > extend their usage in the ASF. I will share my conclusions about the > meeting on `security-discuss@community` once I get around all the > subjects that were discussed, but I found the overall experience of a > (virtual) face-to-face meeting more productive that long discussions > on `security-discuss@community`. > > Maybe we should have a regular Security Round Table help on a video > conference platform. This would allow us: > > * to communicate with the Security Team more directly, > * to think about security more regularly (there is a meeting, I need > to prepare), > * to have some short meeting notes that show us how fast (or slowly) > security awareness in the ASF is growing. > > What do you think? > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > >
