On Wed, Oct 10, 2012 at 2:34 AM, Ziller Eike <eike.zil...@digia.com> wrote: >> -CVE/CERT aka private/exclusive notifications go to some email address >> that only core security team has access to: >> security-priv...@qt-project.org or something > > in the proposal that is secur...@qt-project.org >
Yes, but it is a private email address that only the core security team has read access to. I am proposing we change that, and the creation of the security-priv...@qt-project.org is to accommodate for CVE/Cert requiring non-disclosure. I guess other people could send to it too but I don't really care what goes on in there to be honest. >> -secur...@qt-project.org becomes 'Security' mailing list, public >> Read/Write. Only people interested in security read from or post to >> this list. Questions, suggestions, etc > > in the proposal that is development@ and/or interest@ > Exactly, it isn't there. Security issues should be handled, or at the very least categorized, differently from regular development/interest discussion. >> -security-annou...@qt-project.org/Security-announce mailing list >> announces immediately on (a) vuln existence confirmation, (b) vuln fix >> (a and b can be grouped together, but a should not wait for b). >> Distributors and Qt _users_ alike subscribe to this list, but with >> Read-Only access. Core security team has write access > > in the proposal that is announce@ > Eh not really nothing was mentioned about dispatching an email immediately after a vuln is confirmed. And if you want to flood the main Announce with boring (to most) security posts then go for it... but I wouldn't. Also what's with your post you basically just re-stated everything in the original proposal with nothing new added. Are you trolling me or ...? d3fault _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
