Hi all, I've been busy creating JOR accounts this weekend, and it was cool to see so many names from Lucene. Lucene, Solr, and Nutch have the lowest defect rates among the projects we've looked at, and I'm beginning to see why.
One of the things JOR is doing is inviting people to come and help review issues we find with static analysis. We've had a fair number of signups since the project was on slashdot. My question is, would you like to allow outsiders to go through results and help sort the real bugs from the chaff? The upside is that volunteers may perform useful work and that it may be another avenue to get people involved with the code. The down side is that things like XSS in admin pages may lead them to make more ruckus than is really appropriate. The situation may change if we can establish a mechanism for efficiently moving issues into Jira, but for now, I could imagine a number of different policies, including: - Allow anyone access who asks for it. - Allow access on a case-by-case basis. - Don't allow access to outsiders. Here are the "outsiders" who've requested access so far, along with a few words to summarize what they've told me about themselves. Lucene ------ Varun Nair <[EMAIL PROTECTED]>: budding code auditor at TCS Martin Englund <[EMAIL PROTECTED]>: Experienced auditor at Sun [EMAIL PROTECTED]: Looks like he's just testing the waters Lucene, Nutch, Solr ------ Thierry De Leeuw <[EMAIL PROTECTED]>: experienced vulnerability hunter Michael Bunzel <[EMAIL PROTECTED]>: experienced auditor, but new to auditing Java Thoughts? Brian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]