I'm assuming the goal is to keep the analysis and discussion of alleged vulnerabilities to a relatively small need-to-know group.
I don't know that 10 is a hard number, I heard it as a suggestion when I asked around about how this works at Apache. Do you know typical sizes for security@project lists? - Dennis -----Original Message----- From: Daniel Shahaf [mailto:d...@daniel.shahaf.name] Sent: Wednesday, July 06, 2011 15:54 To: OOo-dev Apache Incubator Subject: Re: [DISCUSS] Creation of ooo-security List Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700: > I've learned that the Apache approach is for each PMC taking the lead > in handling security matters related to its releases. To maintain the > security of security matters, the practice is to have a private list > (for us, ooo-security) with not more than ten security-aware > subscribers. I've never heard of a magic number cap to the # of subscribers of a mailing list.