Hi, About the security mail list. According to this guide [1]
> No information should be made public about the vulnerability until it is > formally announced at the end of this process. > That means, for example that a Jira issue must NOT be created to track the > issue since that will make the issue public. Also the messages associated > with any commits should not make ANY reference to the security nature of the > commit. The security problem should whether be discussed in security mail list or the private mail list. Personally I think the private mail list is enough. [1] http://www.apache.org/security/committers.html Thanks, -- Jialin Qiao School of Software, Tsinghua University 乔嘉林 清华大学 软件学院 > -----原始邮件----- > 发件人: "Xiangdong Huang" <[email protected]> > 发送时间: 2020-04-04 10:56:10 (星期六) > 收件人: [email protected] > 抄送: > 主题: [discuss] [Mentors pay attention] About the maturity evaluation > > Hi all, > > I am trying to evaluate the maturity of the community by following the > Apache maturity evaluation model. > > I have finished a draft in [1]. I'd like to invite all of you to review > this table and p*oint out which item is not suitable.* > > Issues I know: > > - Now we need to add a new document (in English) for introducing how to > release. Luckly we have got a volunteer, Sail. > > - The maturity model emphasizes how to face the security issues. Do we need > a security mailing list for handling security issues? (Actually, I'd like > to keep such issues to dev@ mailing list for a while. We can consider > creating a new mailing list security@ only when our dev@ mailing list has > too many emails) > > [1] > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=148645763 > > Best, > ----------------------------------- > Xiangdong Huang > School of Software, Tsinghua University > > 黄向东 > 清华大学 软件学院
