All,
There was a recent report by Fortify on Open Source Security --
http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf
The report says there were some number of potential vulnerabilities
identified in Geronimo. No details of the vulnerabilities have been
reported to us (although the tests seem to have been run some time
ago...). Once we understand what the potential vulnerabilities are, we
can start to assess...
The report does identify concerns that we could be doing a better job
of reporting security vulnerabilities and letting users know how they
can report security vulnerabilities to our project. I agree with this.
As noted here -- http://www.apache.org/foundation/contact.html -- any
ASF security concerns can be safely relayed with an email to [EMAIL PROTECTED]
.
It probably makes sense for us to create a
[EMAIL PROTECTED] mailing list. Project-specific security
mailing lists are automatically relayed to the [EMAIL PROTECTED]
mailing list. A project-specific list will reduce spam and allow us to
focus on Geronimo issues, rather than Apache-wide issues.
I also think that we should create a security page on our web site
(e.g. geronimo.apache.org/security). This page could be used to
describe how any potential vulnerabilities should be reported. It
should also be used to report vulnerabilities as they are fixed. This
allows users to easily identify what security exposures a particular
version of Geronimo might have.
Thoughts on the mailing list and web site? Assuming we're in general
agreement, I'd like to see us working on these in the near future.
Finally, I've learned that there are a few potential sources for
running static code analysis scans against our codebase:
https://opensource.fortify.com/teamserver/welcome.fhtml
http://scan.coverity.com/
I think we should take a look at these and decide if it's something we
want to take advantage of. Thoughts?
--kevan
