Al
On 10/11/24 1:57 PM, Mark Thomas wrote:
On 11/10/2024 17:52, Dominik Psenner wrote:
Gary, I can well remember those days. I think we were able to handle it
quite well even if we had no disaster recovery plan at hands. However,
that
was a zero day exploit in the wild.
Unfortunately, directed attacks are a lot nastier. Imagine a mail bot
spamming all mailbox to the storage limit within minutes. There are many
other rather simple methods to achieve effective DOS.
In a volunteer organization of individuals doing stuff in their freetime,
simple things like an international call are unfeasible. I estimate a
call
from italy to usa to be ~ 1.48€ / 1.62$ per minute. Frankly, I
wouldn't do
that but rather get my family and friends a pizza with free drinks. Sorry
Gary, dont expect long talks with me by phone. :-))
Phone numbers support more than phone calls. The Tomcat PMC tends to use
signal to plan meeting up for meals etc when at conferences etc (zero
cost assuming you have data or WiFi) but you still need the phone number
to ID the contact.
To address some of the other points that have been made.
Having a back-up communication channel is the important bit. The how can
be up to the PMC. Think "How would we co-ordinate a security fix and/or
a release if we didn't have ASF communication channels?".
My expectation for Tomcat - just as an example - is that we'd use signal
to coordinate what we were going to do which would probably be email
with our direct addresses on the CC and lots of "Reply all". But it
could be Slack. Or we could just stay on signal (might encourage us to
keep messages short). We might even fallback to IRC.
As long as there is a back-up communication channel you can use it to
coordinate moving from non-working ASF channels to whatever is the most
appropriate for the PMC in the circumstances.
Closing the loop a little on this, here. It seems there is no consensus,
so I guess nothing to recommend to PMCs.
Here's what the Tomcat PMC has chosen to implement:
Simple text file in private repo: contacts.txt
This is an opt-in list of PMC members and their self-asserted mobile
telephone numbers with the expectation that the method of communication
with be via Signal message with a fallback to SMS. It includes a flag
for "Security Only" so that we can feel free to use those contacts for
e.g. coordinating beer at conferences.
So far, 7 PMC members have opted-in to give their contact information.
This includes all of the most active PMC members. Fortunately, all
recent security issues have been (a) minor and (b) easily handled via
our typical email channels.
Maybe we could use the next opportunity as a test-run, I suppose.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
