Do we actually need a separate mailing list, or should it just forward to private@?
Regards Scott On 25 July 2016 at 15:58, Ashish Vijaywargiya < [email protected]> wrote: > +1 > > -- > Kind Regards > Ashish Vijaywargiya > HotWax Systems - est. 1997 > > > On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato < > [email protected]> wrote: > > > Rationale: every ASF project needs a private list to discuss product > > vulnerabilities; for OFBiz the "private" list has been used for this > > purpose until now; however an ad-hoc list may be useful because it could > > provide a more focused space to discuss the security issues and could > > provide more flexibility to invite in the private list persons willing to > > help that are trusted by the PMC. > > > > Please vote, > > > > +1 > > > > to create a "security" list (i.e. [email protected]) and move > all > > the security related discussions and notifications currently happening on > > the private list to this new list: according to the ASF policies [*] the > > list will be a private list used by the persons willing to help to > resolve > > security issues; the list of subscribers will be approved by the OFBiz > PMC. > > > > Otherwise vote -1 to continue to use the "private" mailing list for > > vulnerability handling. > > > > [*] http://www.apache.org/security/ > > >
