I meant an inter-project list, not an intra-project list. -----Original Message----- From: Rob Weir [mailto:[email protected]] Sent: Monday, December 12, 2011 14:05 To: [email protected] Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list)
On Mon, Dec 12, 2011 at 4:54 PM, Dennis E. Hamilton <[email protected]> wrote: > I don't have any doubts about Apache-wide handling of CVEs, and guidance to > security teams within Apache projects is complete and comprehensive. > > I was thinking more about an OpenOffice-ecosystem public discuss list where > the various security teams for OPenOffice.org code-based products can work > out mutual agreements on security issues and the CVEs that impact common > features. It should be separate from the private, sensitive lists that are > only for reports of security issues. > If it is not private, then how about here on ooo-dev? Although one could imagine a set of additional list for every dev specialization in the project, I'm not sure we really need a separate public list for security. But once you get started, it is hard to stop: security, then qa, localization, performance, accessibility, UI, doc, help, install, etc.. Creating lists and putting boxes around things is very clean and logical. I assume that is how OOo ended up with 300+ of them. > - Dennis > > -----Original Message----- > From: Daniel Shahaf [mailto:[email protected]] > Sent: Monday, December 12, 2011 11:27 > To: Dennis E. Hamilton > Cc: [email protected] > Subject: Re: Handling and Reporting CVEs (was RE: Proposal: ooo-announce list) > > Dennis E. Hamilton wrote on Mon, Dec 12, 2011 at 10:21:33 -0800: >> PS: It might be nice to have a single public place to discuss just >> these practices across the family without deflecting the reporting >> lists from their focused purpose with regard to receiving and >> assessing vulnerability and exploit reports. Although I think one >> would be useful to have, there does not seem to be much interest on >> the part of the various security teams. >> > > If you want to have an Apache-wide discussion about how to handle CVE's > I'm sure there's an existing list appropriate for that. > [ ... ] >
