On Thu, Oct 6, 2011 at 1:45 AM, Simon Phipps <[email protected]> wrote:
> > On 6 Oct 2011, at 00:25, Dennis E. Hamilton wrote: > > > Whatever the arrangement is to become, it should not have a single point > of failure in achieving coordination on common-mode/mono-culture > vulnerabilities. > > Agreed. Let's design something without one. > > > > > Anyone can post to anyone's security list. But they are private lists. > It is the part where discretion must occur in handling vulnerabilities > until the fix is in and a CVE is posted that happens privately and that > might work better with some shared membership on the security lists. On > AOOo, the PPMC is aware of any resolution that works into code, because of > the way a security fix gets committed into a release. > > In my view, a shared list that's explicitly intended as a collaborative > venue is the best idea - that way developers don't have to understand or > agree with the niceties of anyone else's governance. If > [email protected] isn't going to work, how about we ask TDF to > host a collaborative venue for security postings by each other's security > team members? > If a TDF or ASF list is secondary for me but i would volunteer to join this mailing list to help on this topic in the future. But maybe we should try to keep the existing and known [email protected] mailing list and I see no reason why it shouldn't work. I think it is probably more a problem of the people on this list and missing communication. I assume that people on this list have now other priorities and are not so responsive which of course is natural if they have a new job or moved into other projects ... We should simply ensure that people who are active on both projects are on the list and take of such things. Juergen > > S. > >
