On 17 December 2017 at 15:07, Gary Gregory <garydgreg...@gmail.com> wrote: > I there a requirement to double post to s@a.o? If not switching from s@a.o > to s@c.a.o seems ok.
Huh? Not sure where the double post ref comes from. All security issues must be copied to s@a.o. This is done automatically if users post to s@c.a.o. If they only post to s@a.o, then they will forward to s@c.a.o > Gary > > On Dec 17, 2017 03:31, "Jochen Wiedmann" <jochen.wiedm...@gmail.com> wrote: > >> I think, that the topic would deserve a few more replies. >> >> Jochen >> >> >> On Fri, Dec 15, 2017 at 6:07 PM, sebb <seb...@gmail.com> wrote: >> > On 15 December 2017 at 16:12, Matt Sicker <boa...@gmail.com> wrote: >> >> There certainly are several ASF projects that have dedicated security@ >> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just >> email >> >> secur...@apache.org and then security@ would forward to the appropriate >> >> commons list? >> > >> > Either. >> > >> > If they mail security@a.o then they will forward to security@commons >> > >> > If they mail security@commons, then security@a.o is automatically >> copied. >> > >> >> On 15 December 2017 at 08:03, Gilles <gil...@harfang.homelinux.org> >> wrote: >> >> >> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >> >>> >> >>>> Hi, >> >>>> >> >>>> over the last months we have definitely seen our share of security >> >>>> related issues. However, I also noticed that we had a tendency to >> >>>> loose these threads in the overall noise, resulting in mails like "Did >> >>>> anyone reply to the reporter?" >> >>>> >> >>>> No, according to Linus Torvalds, that is perfectly fine, because a >> >>>> security issue is "just another bug". However, I am not Linus, and >> >>>> would like to see these things in a better state. >> >>>> >> >>>> As a consequence, I'd like to question how others are handling this. >> >>>> Could we have a mailing list, like secur...@commons.apache.org, >> >>>> >> >>> >> >>> +1 >> >>> >> >>> Gilles >> >>> >> >>> preferrably with subscription limited to private@ members, and >> >>>> secur...@apache.org subscribed automatically. (In theory, we could >> >>>> subscribe selected committers, too.) >> >>>> >> >>>> At the very least, this would allow us to create a filter for security >> >>>> related messages, thereby concentrate our attention. >> >>>> >> >>>> Jochen >> >>>> >> >>> >> >>> >> >>> --------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> >>> For additional commands, e-mail: dev-h...@commons.apache.org >> >>> >> >>> >> >> >> >> >> >> -- >> >> Matt Sicker <boa...@gmail.com> >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> >> >> >> -- >> The next time you hear: "Don't reinvent the wheel!" >> >> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/ >> evolution-of-the-wheel-300x85.jpg >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org