Agreed.
> On Jan 6, 2017, at 8:41 PM, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> On Fri, Jan 6, 2017 at 4:24 PM, Ed Cable <edca...@mifos.org> wrote:
>> Could our Apache Fineract mentors please provide some guidance on a couple
>> of the areas we need to improve upon:
>>
>> QU10 "*The project is open and honest about the quality of its code.
>> Various levels of quality and maturity for various modules are natural and
>> acceptable as long as they are clearly communicated." -*
>>
>> Do you have any other projects you could point to that have strong
>> transparent measures of quality and maturity clearly available We want to
>> follow best practices and adopt similar to display at
>> http://fineract.incubator.apache.org
>
> Regular deployment of tools like Findbugs is a good indication that you take
> this requirement seriously.
>
>> *QU30: The project provides a well-documented channel to report security
>> issues, along with a documented way of responding to them.*
>>
>> Currently we just link to: http://www.apache.org/security/ Are we able to
>> do as other projects at http://www.apache.org/security/projects.html or is
>> a private channel not something we can set up till we're out of
>> incubation. If we can move forwarde, I'd suggest we have a security page
>> on our site, document and fix known vulnerabilities and then provide clear
>> instruction on reporting vulnerabilities to a private channel like
>> secur...@fineract.incubator..apache.org
>
> This is less about security@fineract vs. http://www.apache.org/security/
> and more about the community being ready for when the first 0 day
> hits either of those. Being ready is a combination of tribal knowledge,
> wiki recommendations and a release policy that would allow you to patch
> at a drop of a hat.
>
> Thanks,
> Roman.
