There certainly are several ASF projects that have dedicated security@ mailing lists (e.g., Tomcat has one). Would bug reporters still just email secur...@apache.org and then security@ would forward to the appropriate commons list?
On 15 December 2017 at 08:03, Gilles <gil...@harfang.homelinux.org> wrote: > On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: > >> Hi, >> >> over the last months we have definitely seen our share of security >> related issues. However, I also noticed that we had a tendency to >> loose these threads in the overall noise, resulting in mails like "Did >> anyone reply to the reporter?" >> >> No, according to Linus Torvalds, that is perfectly fine, because a >> security issue is "just another bug". However, I am not Linus, and >> would like to see these things in a better state. >> >> As a consequence, I'd like to question how others are handling this. >> Could we have a mailing list, like secur...@commons.apache.org, >> > > +1 > > Gilles > > preferrably with subscription limited to private@ members, and >> secur...@apache.org subscribed automatically. (In theory, we could >> subscribe selected committers, too.) >> >> At the very least, this would allow us to create a filter for security >> related messages, thereby concentrate our attention. >> >> Jochen >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Matt Sicker <boa...@gmail.com>
