+1 Jacek
On Wed, Jul 23, 2008 at 7:13 PM, Kevan Miller <[EMAIL PROTECTED]> wrote: > All, > There was a recent report by Fortify on Open Source Security -- > http://www.fortify.com/l/oss/assets/OpenSource_Security_WP_v5.pdf > The report says there were some number of potential vulnerabilities > identified in Geronimo. No details of the vulnerabilities have been reported > to us (although the tests seem to have been run some time ago...). Once we > understand what the potential vulnerabilities are, we can start to assess... > > The report does identify concerns that we could be doing a better job of > reporting security vulnerabilities and letting users know how they can > report security vulnerabilities to our project. I agree with this. > > As noted here -- http://www.apache.org/foundation/contact.html -- any ASF > security concerns can be safely relayed with an email to > [EMAIL PROTECTED] > > It probably makes sense for us to create a [EMAIL PROTECTED] > mailing list. Project-specific security mailing lists are automatically > relayed to the [EMAIL PROTECTED] mailing list. A project-specific list > will reduce spam and allow us to focus on Geronimo issues, rather than > Apache-wide issues. > > I also think that we should create a security page on our web site (e.g. > geronimo.apache.org/security). This page could be used to describe how any > potential vulnerabilities should be reported. It should also be used to > report vulnerabilities as they are fixed. This allows users to easily > identify what security exposures a particular version of Geronimo might > have. > > Thoughts on the mailing list and web site? Assuming we're in general > agreement, I'd like to see us working on these in the near future. > > Finally, I've learned that there are a few potential sources for running > static code analysis scans against our codebase: > > https://opensource.fortify.com/teamserver/welcome.fhtml > http://scan.coverity.com/ > > I think we should take a look at these and decide if it's something we want > to take advantage of. Thoughts? > > --kevan > -- Jacek Laskowski Notatnik Projektanta Java EE - http://www.JacekLaskowski.pl