On 15 December 2017 at 16:12, Matt Sicker <boa...@gmail.com> wrote: > There certainly are several ASF projects that have dedicated security@ > mailing lists (e.g., Tomcat has one). Would bug reporters still just email > secur...@apache.org and then security@ would forward to the appropriate > commons list?
Either. If they mail security@a.o then they will forward to security@commons If they mail security@commons, then security@a.o is automatically copied. > On 15 December 2017 at 08:03, Gilles <gil...@harfang.homelinux.org> wrote: > >> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >> >>> Hi, >>> >>> over the last months we have definitely seen our share of security >>> related issues. However, I also noticed that we had a tendency to >>> loose these threads in the overall noise, resulting in mails like "Did >>> anyone reply to the reporter?" >>> >>> No, according to Linus Torvalds, that is perfectly fine, because a >>> security issue is "just another bug". However, I am not Linus, and >>> would like to see these things in a better state. >>> >>> As a consequence, I'd like to question how others are handling this. >>> Could we have a mailing list, like secur...@commons.apache.org, >>> >> >> +1 >> >> Gilles >> >> preferrably with subscription limited to private@ members, and >>> secur...@apache.org subscribed automatically. (In theory, we could >>> subscribe selected committers, too.) >>> >>> At the very least, this would allow us to create a filter for security >>> related messages, thereby concentrate our attention. >>> >>> Jochen >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > > -- > Matt Sicker <boa...@gmail.com> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org