Security mailing lists should also be private and only accessible to PMC members (and ASF members).
On Thu, Mar 21, 2019 at 04:03, Carlos Santana <[email protected]> wrote: > That’s fine to have a page and security mailing list. > > Who is from the PPMC is going to monitor the security@ mailing list? > > I’m already subscribe to private@ > > I would not want sensitive topics and reports to be discuss in this > security ML is people anyone is allowed to be subscribe. > > The ASF process still need to be followed anyway and any reports we would > need to loop in [email protected] anyway > > I bet people would email by mistake [email protected] with > sensitive data when they should have use [email protected] and also bet > we will be explaining multiple time when to use each ML list. > > I we have such ML list I certainly will not be using it or subscribing and > expect any serious reports and findings to find their way to private@ > > Is their are users that security questions on how to do something or > someone sharing best practice for security they can certainly use the dev@ > list we have today > > +1 to have a security page > -1 to have yet another ML list [email protected] > > - Carlos Santana > @csantanapr > > > On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <[email protected]> > wrote: > > > > Hi, > > > >> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <[email protected]> > wrote: > >> For security reports, ASF already have a process let's not improvise.. > > > > Agreed but it's fine for projects to have their own security page, as > > long as the ASF process is followed. > > > >> ... Reported should send email to [email protected] ... > > > > It's also ok for projects to have their own security@ list, see > > https://sling.apache.org/project-information/security.html for an > > example. > > > > -Bertrand > -- Matt Sicker <[email protected]>
