On Monday, October 14, 2002, at 01:40 PM, Costin Manolache wrote:
> Chuck Murcko wrote: > >> There's currently a call for project committers to be on the >> [EMAIL PROTECTED] list. This list intends to be the clearinghouse for >> all ASF project related security issues, not just httpd. >> >> Costin, Craig, et al.: the deal seems to be that each major project >> version have someone who's a committer subscribed as a project liason. >> So it might make sense if you both signed up, or if other committers >> wanted to step forward...I would leave that to you all to figure out. >> >> Not to short-circuit a Tomcat committers list, because there may well >> be >> issues other than security to deal with, and it would make sense to >> have >> information flow between security@ and a proposed tomcat-committers@ >> anyway (I'm thinking the detailed hashing of fixes would happen on the >> latter list). > > Regarding [EMAIL PROTECTED] - I think that all who play the role of > release manager should be on the list ( i.e. Remy, Larry, Mladen, > Henri). > It seems to be open for a limited number of 'liasons' ( I hope it > is more than one, as we have several major components ). > > My preference is that any tomcat commiter who is interested to be able > to get this info and discuss ( and hopefully fix ) tomcat security > issues. I hope that whoever gets the security messages will fix them or > forward them to tomcat-commiters - but that's of course his choice. > > If the apache list is open to any commiter - I'll certainly subscribe > ( and I hope most active tomcat commiters will do the same ! ), > but that doesn't remove the need for a private list for tomcat > commiters. > Yes, the security list is open to all committers, and it is not a 1:1 mapping of projects to committers/subscribers. Definitely all the RMs should be on it, as well as interested committers from each project/major component. I should have said "at least one" somewhere before, especially if a fix needs to get rolled out quickly and precisely. As for other issues needing a private and local (to Tomcat) list, I must leave that to you all to decide. After thinking about it a bit more MHO is that a separate committers list really sounds equivalent to having committer participation on the PMC list for jakarta, if that is possible. Chuck -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>