That’s fine to have a page and security mailing list. Who is from the PPMC is going to monitor the security@ mailing list?
I’m already subscribe to private@ I would not want sensitive topics and reports to be discuss in this security ML is people anyone is allowed to be subscribe. The ASF process still need to be followed anyway and any reports we would need to loop in secur...@apache.org anyway I bet people would email by mistake secur...@openwhisk.apache.org with sensitive data when they should have use secur...@apache.org and also bet we will be explaining multiple time when to use each ML list. I we have such ML list I certainly will not be using it or subscribing and expect any serious reports and findings to find their way to private@ Is their are users that security questions on how to do something or someone sharing best practice for security they can certainly use the dev@ list we have today +1 to have a security page -1 to have yet another ML list secur...@openwhisk.apache.org - Carlos Santana @csantanapr > On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <bdelacre...@apache.org> > wrote: > > Hi, > >> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <csantan...@gmail.com> wrote: >> For security reports, ASF already have a process let's not improvise.. > > Agreed but it's fine for projects to have their own security page, as > long as the ASF process is followed. > >> ... Reported should send email to secur...@apache.org ... > > It's also ok for projects to have their own security@ list, see > https://sling.apache.org/project-information/security.html for an > example. > > -Bertrand
