On Wed, Jul 27, 2011 at 9:23 PM, Dennis E. Hamilton <[email protected]> wrote: > Now that we've confirmed that the ooo-security list exists and the three > moderators appear to be subscribers, I believe the next action is to > subscribe the existing OO.o/LibreOffice security folk, per > > <http://mail-archives.apache.org/mod_mbox/incubator-ooo-dev/201107.mbox/%[email protected]%3e> >
-1. This is the project's private security list, with only a subset of the PPMC on it. We should not have 3rd parties signed up on it. Observe the process here: http://www.apache.org/security/committers.html "Information may be shared with domain experts (eg colleagues at your employer) at the discretion of the project's security team providing that it is made clear that the information is not for public disclosure and that [email protected] or the project's security mailing list must be copied on any communication regarding the vulnerability." So there is a distinction here between the "project's security team" and "domain experts". I'd like to see the ooo-security list be the former, and have us bring in the later when necessary for a particular issue. I think it would be a great idea to track, in a text file in the PPMC's private directory, a list of 3rd party experts who could be consulted for particular kinds of issues. But if and when to bring in those 3rd parties should be decided on a case by case basis. > There was also a notion of cross-subscribing some lists, but that would > probably be after that. > We could put those addresses into the private text file as well, but I'd rather trust an person's email address than to trust an opaque list. -Rob > - Dennis > > -----Original Message----- > From: Rob Weir [mailto:[email protected]] > Sent: Tuesday, July 26, 2011 13:33 > To: [email protected] > Subject: Testing > > This is a test, to see if the list has been set up properly. > > -Rob > >
