At 04:36 06-10-01, Rasmus Lerdorf wrote: Jani said: > > Excellent idea. This is exactly something we really need. > > A private address which is not limited to 10 persons or so. > > What did Linus say again..enough eyes and all bugs are..something? > >I'm really not all that worried about having the ability to fix issues in >the small group or at least understanding the issue and bringing in the >appropriate people privately to come up with a fix. So the number of >people receiving that initial email really doesn't worry me. Heck it >could be a single person we designate to be the security officer and >rotate that responsibility. It isn't that hard to figure out who wrote a >specific piece and if you have been around a while you know the people who >are likely to be able to provide some insight.
The number of people who get to see it does worry me - it has to be reasonably small to be manageable, which is why I think that the way it works today is pretty good (such reports go to group@, adding [EMAIL PROTECTED] is a good idea too, I don't like the security-officer idea too much though). This can't be an open-forum such as php-dev either, for obvious reasons. The 'enough eyeballs' rule doesn't apply here, at least it doesn't apply in many cases. If something is safe enough to be sent out in the open in php-dev, no problem. If it's a bad bug, e.g., a remotely exploitable bug, fixing it silently, involving only the people who are related to the faulty code, is probably the best practice. Zeev -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
