On 6 Oct 2011, at 00:25, Dennis E. Hamilton wrote: > Whatever the arrangement is to become, it should not have a single point of > failure in achieving coordination on common-mode/mono-culture vulnerabilities.
Agreed. Let's design something without one. > > Anyone can post to anyone's security list. But they are private lists. It > is the part where discretion must occur in handling vulnerabilities until the > fix is in and a CVE is posted that happens privately and that might work > better with some shared membership on the security lists. On AOOo, the PPMC > is aware of any resolution that works into code, because of the way a > security fix gets committed into a release. In my view, a shared list that's explicitly intended as a collaborative venue is the best idea - that way developers don't have to understand or agree with the niceties of anyone else's governance. If [email protected] isn't going to work, how about we ask TDF to host a collaborative venue for security postings by each other's security team members? S.
