> -----Original Message----- > From: Rob Weir [mailto:apa...@robweir.com] > Sent: Friday, 29 July 2011 11:25 AM > To: ooo-dev@incubator.apache.org > Subject: Re: Population of ooo-security >
<snip> > > That raises some questions: > > A) How does one engage with the Apache Security team for "help and advice > to Apache projects on security issues" if any mail that "does not relate to an > undisclosed security problem in an Apache product will be ignored". Is there > another list we should be asking process-related questions? there is the secur...@apache.org list. However, all our project security mailing lists are linked with that list automatically - any email sent to ooo-security list for instance will also send a copy to the main apache security team list. > > B) Why is is the significance of their statement, "All members of the Security > Team are also members of the Apache Software Foundation". > That means that they can vote for members of the Apache Board, right? > Why is that significant for the security? It means only members of the foundation may be a member of the main Apache security team. This is for several reasons, one of which is simply that only members of the foundation can have access to other projects private mailing lists, a pretty important need for any security team member as all project security lists are private. Gav... > > > [1] http://www.apache.org/security/ > > > > It is interesting to see the type of information about each CVE and the > > fixes > on three different Tomcat versions. > > > > Regards, > > Dave
