On 6 Oct 2011, at 13:22, Florian Effenberger wrote: > Dirk-Willem van Gulik wrote on 2011-10-06 14:14: >> Furthermore - there is nothing stopping you from having a knownsecurity@ >> group more focused on security - and having this as your first (more public) >> port of call. > > for years, there has been security@ooo. That group knows each other very > well, has been working together in trust for many years, and not only I > proposed here on this list to continue working the way it was before, since > security is an area where we can work together closely apart from any > "political" issues.
Good. So you have an excellent starting point. And know that this type of sharing is very common already. > However, I was told several times, that this is not desired Reading the exchanges - I think language was getting in the way of things. As I tried to outline - there are a few aspects pertaining to oversight which need to be met (by any foundation - and the US makes some of that a lighter touch, than, say, the legal system of the Netherlands would allow a 'stichting' or 'vereniging'). But beyond that - there is freedom. I can easily imagine a group of committers doing initial follow and triage around security@$project.apache.org - who have a very routine, very trusted and deep relation with other security groups outside the ASF and vice versa. And I'd expect that you'd quickly gravitate towards joint advisories and similar when appropriate. If that means that an MoU is needed - well that would be a first - but not something you should reject out of hand. Meanwhile the ASF will always be responsible, accountable and needs to show it is in full control of each and every bit which goes out as a release - and we (mostly) do that by ingress control on our version control system. So CLA's are important. And the board will expect that the PMC maintains proper oversight. It is such a key part of a release and our responsibility that one cannot easily 'farm this out'. Dw
