Why would we do that? Security concerns are the responsibility of the PMC and supposed to be kept confidential until resolved aren't they?
On 25 July 2016 at 20:31, Jacques Le Roux <[email protected]> wrote: > I guess we need at least a separate list to grant access to non > OFBiz-PMC/ASF members > > Jacques > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit : > >> Do we actually need a separate mailing list, or should it just forward to >> private@? >> >> Regards >> Scott >> >> On 25 July 2016 at 15:58, Ashish Vijaywargiya < >> [email protected]> wrote: >> >> +1 >>> >>> -- >>> Kind Regards >>> Ashish Vijaywargiya >>> HotWax Systems - est. 1997 >>> >>> >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato < >>> [email protected]> wrote: >>> >>> Rationale: every ASF project needs a private list to discuss product >>>> vulnerabilities; for OFBiz the "private" list has been used for this >>>> purpose until now; however an ad-hoc list may be useful because it could >>>> provide a more focused space to discuss the security issues and could >>>> provide more flexibility to invite in the private list persons willing >>>> to >>>> help that are trusted by the PMC. >>>> >>>> Please vote, >>>> >>>> +1 >>>> >>>> to create a "security" list (i.e. [email protected]) and move >>>> >>> all >>> >>>> the security related discussions and notifications currently happening >>>> on >>>> the private list to this new list: according to the ASF policies [*] the >>>> list will be a private list used by the persons willing to help to >>>> >>> resolve >>> >>>> security issues; the list of subscribers will be approved by the OFBiz >>>> >>> PMC. >>> >>>> Otherwise vote -1 to continue to use the "private" mailing list for >>>> vulnerability handling. >>>> >>>> [*] http://www.apache.org/security/ >>>> >>>> >
