On my side I voted +1 as I thing it would be easier for me to follow security topics with a dedicated list. Furthermore, I don't need to be added to the private list as I don't need/want to be part of strategy or main orientations discussions for Ofbiz.
2016-07-25 11:27 GMT+02:00 Scott Gray <[email protected]>: > Why would we do that? Security concerns are the responsibility of the PMC > and supposed to be kept confidential until resolved aren't they? > > On 25 July 2016 at 20:31, Jacques Le Roux <[email protected]> > wrote: > > > I guess we need at least a separate list to grant access to non > > OFBiz-PMC/ASF members > > > > Jacques > > > > > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit : > > > >> Do we actually need a separate mailing list, or should it just forward > to > >> private@? > >> > >> Regards > >> Scott > >> > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya < > >> [email protected]> wrote: > >> > >> +1 > >>> > >>> -- > >>> Kind Regards > >>> Ashish Vijaywargiya > >>> HotWax Systems - est. 1997 > >>> > >>> > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato < > >>> [email protected]> wrote: > >>> > >>> Rationale: every ASF project needs a private list to discuss product > >>>> vulnerabilities; for OFBiz the "private" list has been used for this > >>>> purpose until now; however an ad-hoc list may be useful because it > could > >>>> provide a more focused space to discuss the security issues and could > >>>> provide more flexibility to invite in the private list persons willing > >>>> to > >>>> help that are trusted by the PMC. > >>>> > >>>> Please vote, > >>>> > >>>> +1 > >>>> > >>>> to create a "security" list (i.e. [email protected]) and move > >>>> > >>> all > >>> > >>>> the security related discussions and notifications currently happening > >>>> on > >>>> the private list to this new list: according to the ASF policies [*] > the > >>>> list will be a private list used by the persons willing to help to > >>>> > >>> resolve > >>> > >>>> security issues; the list of subscribers will be approved by the OFBiz > >>>> > >>> PMC. > >>> > >>>> Otherwise vote -1 to continue to use the "private" mailing list for > >>>> vulnerability handling. > >>>> > >>>> [*] http://www.apache.org/security/ > >>>> > >>>> > > > -- Grégory Draperi
