Mitchell Stoltz wrote: > It sounds like people are saying they want [EMAIL PROTECTED] to be > the address where people not on the security group can send security bug > reports. Yes, this is one of the traditional addresses to use for this > purpose, as several people have pointed out. However, no one has > directly responded to my question: I think "security" is ambiguous, and > doesn't precisely describe the purpose of the address, which means it > may attract more off-topic posts. People may think it's for discussion > of cryptography engineering or physical building security or the > security of Mozilla servers, none of which is the case. More off-topic, > irrelevant posts to this address means more work for the maintainers.
I think tradition trumps logic here: You're right, if we were starting from a clean slate, and we were the first project to do this sort of thing, then we might not necessarily want to use "[EMAIL PROTECTED]" as the well-known bug reporting address. However it's already in wide use for this purpose, and because it's the shortest possible name with "security" in it it's probably the first thing bug reporters are likely to guess if they don't go to the trouble of looking up the address. You're also correct in that this address might receive some off-topic messages (not to mention spam). I don't think there's any way around this., other than to just reply to off-topic message with a canned reply pointing people to the right forums. So IMO we should choose "[EMAIL PROTECTED]" for the bug reporting address, and then some other name (I don't really care what) for the security bug group mailing list. Frank -- Frank Hecker [EMAIL PROTECTED]
