On Sun, Aug 17, 2008 at 09:42:02PM -0500, Yaakov (Cygwin Ports) wrote:
>Hash: SHA256
>Christopher Faylor wrote:
>> I hate to suggest another mailing list but I wonder if we should have
>> another unarchived, closed list for discussing security issues.  The
>> recent setup.exe problem got me thinking that we might need something
>> like this.
>> I'm not suggesting that this email was inappropriate since these are all
>> known issues but maybe another mailing list might help focus on
>> important security issues.
>> Or should we just use this list and not worry about it?
>The major problem that we have with security is that we don't have a
>person/team which has advance notice of security issues like the Linux
>distros have, and I have no idea how to go about changing that.  Right
>now I have to wait for the issues to be public in order to know about them.

Either Corinna or I can ask the Red Hat person responsible for these
matters how we can "sign up" for this wonderful duty.

>If we can set up a "security team" from the core group of maintainers
>and start getting advance notices, then we definitely will need a way of
>communicating in private.  I would agree to such a list for the
>"security team" only, but I would suggest it be used in tandem with
>"closed" Bugzilla entries.  This would allow including a maintainer on a
>per-issue basis, and once the issue is public, the bug could then be opened.

Yes, I thought we'd use closed Bugzilla for this.  I actually am kicking
myself for not suggesting this during the setup.exe security problem.
We were using Red Hat's bugzilla for that and the person who reported
the problem was continually confused by the fact that this wasn't a Red
Hat issue.  They were just kindly letting us use their bugzilla in a no
good dead goes unpunished kind of way.


Reply via email to