On 07.07.2011 02:21, Greg Stein wrote: > I don't believe that we need our own security address since I doubt > we'll have that many *incoming* issues. Those reports can go to > secur...@apache.org, and that team will forward them to the PPMC. "Many" is a quantity that is hard to compare with ;-). From past experience it seems that the number of incoming issues increased in the last years. Not because our code became worse, but because more people looked for security holes systematically.
Besides that, I tend to agree that we shouldn't start with an own security list before we are sure that the Apache list can't handle the number of incoming issues. Regards, Mathias