On 10 Oct 2012, at 11:18, d3fault <[email protected]> wrote: > Oh right this is where I'm supposed to disagree or object or > something... See: > http://lists.qt-project.org/pipermail/development/2012-October/006892.html > > tl;dr: I object on the grounds that behind closed doors security is > not only a waste of time, it also hurts Qt _users_.
> Do This: > -CVE/CERT aka private/exclusive notifications go to some email address > that only core security team has access to: > [email protected] or something in the proposal that is [email protected] > [email protected] becomes 'Security' mailing list, public > Read/Write. Only people interested in security read from or post to > this list. Questions, suggestions, etc in the proposal that is development@ and/or interest@ > [email protected]/Security-announce mailing list > announces immediately on (a) vuln existence confirmation, (b) vuln fix > (a and b can be grouped together, but a should not wait for b). > Distributors and Qt _users_ alike subscribe to this list, but with > Read-Only access. Core security team has write access in the proposal that is announce@ -- Eike Ziller, Senior Software Engineer - Digia, Qt Digia Germany GmbH, Rudower Chaussee 13, D-12489 Berlin Geschäftsführer: Mika Pälsi, Juha Varelius, Anja Wasenius Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
