I have no idea where the original thread happened, at least I didn't see any mails before this one.
On Wed, 23 Feb 2005, robert burrell donkin <[EMAIL PROTECTED]> wrote: > i wonder whether henri might be able to bring this up (either > formally or informally) with aim of discovering whether jakarta in > general and tomcat in particular have the right structures in place > and what improvements we might make. The structures are pretty well defined. Each project is supposed to have at least one security liaison that the security committee knows about. Incoming security issues are supposed to go through this liaison, but recent mails to the PMC list suggest it doesn't happen that way. >>> Having just dealt with the issue below I was thinking where else, >>> other than the Tomcat User mailing list this information needed to >>> be sent? [EMAIL PROTECTED] and [EMAIL PROTECTED], IMHO. This along with a new Tomcat release that fixes the issue. >From my experience fix => release => announce is the process used by other projects, including httpd. And from an end-user standpoint the process that makes sense the most. >>> 2. Do we publish anywhere a list of known security issues and >>> their associated fixes? If yes, where? If not, should we? I think we should follow the httpd way <http://httpd.apache.org/security_report.html> is linked from the main navigation. If you look into one of the pages linked from there, it goes to apacheweek for some reasin, but we should be able to produce the same sort of content ourselves. >> Not that I know. I'd assume it'd be a Tomcat page somewhere? +1 Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]