Hey all,
dveditz <#dveditz> just said on IRC: "this is better as a mail
conversation I think -- either mozilla.dev.security or security-group
(depending on your taste for open-but-small-audience vs
better-audience-but-hidden)"
This perfectly phrases and frames the problem. We're an open-source
project and for me that also means openness in project structure,
decision-making and leadership. Transparency.
The majority of discussions here on this list are policy discussions
that are not specifically about bugs that are still embargoed, but
either general "what should we do about this whole class of problems" or
about security bugs that are already in the wild and we need to react to
that. So, there is no inherent need to keep these discussions hidden.
For those discussions which do need to stay hidden from public view, we
can keep this list. For all others, we could theoretically use
mozilla.dev.security, but there's way too much noise there, so nobody of
importance reads it. I tried posting there several times, and got
practically no relevant responses. I suggest:
Create a mailing-list that is moderated. Members of the security-group
get automatically subscribed (but they can optionally unsubscribe
themselves, if they really don't want it), and they can post without
moderator approval. Everybody else can read it, and it has a newsgroup
equivalent, but nobody can post from there.
The point would be that there is a public track record of our decisions
and why we made them, but we avoid the noise.
I've suggested this before, but it got overloaded with many other things
and turned into a very complex proposal, so I'd like to post only this
one proposal.
Ben
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security