Hi Jim,
I respond separate on "Handling security -related issues" as it has not
that much to do with the process, merely a technical remark.
Handling security -related issues
Enable a special field in JIRA to mark an issue as a security
issue and restrict access to the JIRA issue to the PPMC and
committers.
Hold initial discussions on potential security issues on the
private PPMC list. When acknowledged that it's an valid security
issue, create a JIRA issue with special security field marked.
As soon as appropriate (for example, when the impact is understood
and/or there is a resolution and fix developed), open the issue
and discussion to the river-dev list.
When we create such a field, it will become a default field when people
enter an issue. Any person can therefore mark (upon entering the issue)
an issue as a 'security issue'. In that case *no* mail will be sent to
the river-commit mailing list, I expect though that the component owner
(which we don't have) or otherwise the project owner(s) will get a
posting (this has to be tested).
That person is responsible for bringing it in the private mailing list.
As long as an issue stays marked as 'security issue' it stays hidden for
all except the committers. The only way to get it visible is to mark it
as no longer being a 'security issue' but that doesn't seem right. Do
you envision this as a problem?
--
Mark
