Apache Subversion used to have its own security mailing list before it came to the Apache Software Foundation. We decided that the *influx* of security problems was low enough that we left that mailing list behind. Today, we rely entirely on secur...@apache.org for external entities to report problems[1].
Note that there are two purposes for secur...@apache.org: 1) external users report problems here 2) it is the Apache Security Team, and is used to contact them and to keep them in the discussion loop. On the page you referenced[2], all of the steps talk about the "project team". That is not a subset of the PMC. That *is* the PMC. The entire PMC is responsible for the project. As an example, the Apache Subversion project manages the entire response to a problem on private@subversion.a.o, keeping secur...@apache.org cc'd on the discussion. We produce the patch, get it tested, and use our private repository to develop the CVE text (after we request CVE(s) from the security@ folks) private@subversion.a.o has several dozen people on it. Probably more. One key is to ensure that the people on the (P)PMC list understand what the security response protocol looks like. They need to understand that we keep it private until the vulnerability is ready for disclosure. That disclosure typically includes CVE notices, and it includes a pre-notification to a list of people (we keep that list in svn, too, along with a script to send them the notification). Anybody that we feel has an interest and impact in hearing about svn vulnerabilities is asked (eg. packagers and big hosting companies). Once the Apache OO.o PPMC has a solid understanding, or at least a solid agreement in *confidentiality*, then security issues can be handled on ooo-private@incubator.a.o. I don't believe that we need our own security address since I doubt we'll have that many *incoming* issues. Those reports can go to secur...@apache.org, and that team will forward them to the PPMC. Cheers, -g [1] http://subversion.apache.org/security/ [2] http://www.apache.org/security/committers.html On Wed, Jul 6, 2011 at 19:50, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > I'm assuming the goal is to keep the analysis and discussion of alleged > vulnerabilities to a relatively small need-to-know group. > > I don't know that 10 is a hard number, I heard it as a suggestion when I > asked around about how this works at Apache. Do you know typical sizes for > security@project lists? > > - Dennis > > -----Original Message----- > From: Daniel Shahaf [mailto:d...@daniel.shahaf.name] > Sent: Wednesday, July 06, 2011 15:54 > To: OOo-dev Apache Incubator > Subject: Re: [DISCUSS] Creation of ooo-security List > > Dennis E. Hamilton wrote on Wed, Jul 06, 2011 at 12:02:31 -0700: >> I've learned that the Apache approach is for each PMC taking the lead >> in handling security matters related to its releases. To maintain the >> security of security matters, the practice is to have a private list >> (for us, ooo-security) with not more than ten security-aware >> subscribers. > > I've never heard of a magic number cap to the # of subscribers of > a mailing list. > >
