On Fri, Jan 6, 2017 at 4:24 PM, Ed Cable <edca...@mifos.org> wrote: > Could our Apache Fineract mentors please provide some guidance on a couple > of the areas we need to improve upon: > > QU10 "*The project is open and honest about the quality of its code. > Various levels of quality and maturity for various modules are natural and > acceptable as long as they are clearly communicated." -* > > Do you have any other projects you could point to that have strong > transparent measures of quality and maturity clearly available We want to > follow best practices and adopt similar to display at > http://fineract.incubator.apache.org
Regular deployment of tools like Findbugs is a good indication that you take this requirement seriously. > *QU30: The project provides a well-documented channel to report security > issues, along with a documented way of responding to them.* > > Currently we just link to: http://www.apache.org/security/ Are we able to > do as other projects at http://www.apache.org/security/projects.html or is > a private channel not something we can set up till we're out of > incubation. If we can move forwarde, I'd suggest we have a security page > on our site, document and fix known vulnerabilities and then provide clear > instruction on reporting vulnerabilities to a private channel like > secur...@fineract.incubator..apache.org This is less about security@fineract vs. http://www.apache.org/security/ and more about the community being ready for when the first 0 day hits either of those. Being ready is a combination of tribal knowledge, wiki recommendations and a release policy that would allow you to patch at a drop of a hat. Thanks, Roman.
