That’s fine to have a page and security mailing list. Who is from the PPMC is going to monitor the security@ mailing list?
I’m already subscribe to private@ I would not want sensitive topics and reports to be discuss in this security ML is people anyone is allowed to be subscribe. The ASF process still need to be followed anyway and any reports we would need to loop in [email protected] anyway I bet people would email by mistake [email protected] with sensitive data when they should have use [email protected] and also bet we will be explaining multiple time when to use each ML list. I we have such ML list I certainly will not be using it or subscribing and expect any serious reports and findings to find their way to private@ Is their are users that security questions on how to do something or someone sharing best practice for security they can certainly use the dev@ list we have today +1 to have a security page -1 to have yet another ML list [email protected] - Carlos Santana @csantanapr > On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <[email protected]> > wrote: > > Hi, > >> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <[email protected]> wrote: >> For security reports, ASF already have a process let's not improvise.. > > Agreed but it's fine for projects to have their own security page, as > long as the ASF process is followed. > >> ... Reported should send email to [email protected] ... > > It's also ok for projects to have their own security@ list, see > https://sling.apache.org/project-information/security.html for an > example. > > -Bertrand
