Re: Security mailing list
On 20 December 2017 at 14:39, Jochen Wiedmann wrote: > On Wed, Dec 20, 2017 at 3:20 PM, sebb wrote: >> Anyone want to find/update the website references? > > Could you do that, please? I am completely lost as to how we do that nowadays. Anyone can find the references ... > Thanks, > > Jochen > > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On Wed, Dec 20, 2017 at 3:20 PM, sebb wrote: > Anyone want to find/update the website references? Could you do that, please? I am completely lost as to how we do that nowadays. Thanks, Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
Anyone want to find/update the website references? On 20 December 2017 at 14:13, sebb wrote: > BTW it's all set up now. > > On 19 December 2017 at 20:24, Jochen Wiedmann > wrote: >> On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory wrote: >>> Request submitted! >> >> Thanks a lot! >> >> -- >> The next time you hear: "Don't reinvent the wheel!" >> >> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
BTW it's all set up now. On 19 December 2017 at 20:24, Jochen Wiedmann wrote: > On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory wrote: >> Request submitted! > > Thanks a lot! > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory wrote: > Request submitted! Thanks a lot! -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
Request submitted! Gary On Tue, Dec 19, 2017 at 10:09 AM, Jochen Wiedmann wrote: > On Tue, Dec 19, 2017 at 5:22 PM, sebb wrote: > > > selfserve.apache.org > > > Access restricted to PMC chairs only! > > So, it looks like a task for Gary? > > Jochen > > > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/ > evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Security mailing list
On Tue, Dec 19, 2017 at 5:22 PM, sebb wrote: > selfserve.apache.org Access restricted to PMC chairs only! So, it looks like a task for Gary? Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
selfserve.apache.org On 19 December 2017 at 13:58, Jochen Wiedmann wrote: > On Tue, Dec 19, 2017 at 2:05 PM, Mark Thomas wrote: > >> Jira not required. Use The standard mailing list request form. If you >> request a security@ list the extra stuff (make it private, cc securiry@a.o >> on all mail) happens automatically. > > Thanks, Mark! But what is the "standard mailing list request form", please? > > Jochen > > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On Tue, Dec 19, 2017 at 2:05 PM, Mark Thomas wrote: > Jira not required. Use The standard mailing list request form. If you request > a security@ list the extra stuff (make it private, cc securiry@a.o on all > mail) happens automatically. Thanks, Mark! But what is the "standard mailing list request form", please? Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On 19 December 2017 11:37:48 GMT+00:00, Jochen Wiedmann wrote: >Okay, in my opinion the response indicates, that my proposal is >acceptable to all. Do we need a formal vote? (I hope not.) So, how do >we proceed? Would it be okay for me to file a Jira issue? > >Thanks, > >Jochen No need for a vote in my view. Jira not required. Use The standard mailing list request form. If you request a security@ list the extra stuff (make it private, cc securiry@a.o on all mail) happens automatically. Mark - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
Okay, in my opinion the response indicates, that my proposal is acceptable to all. Do we need a formal vote? (I hope not.) So, how do we proceed? Would it be okay for me to file a Jira issue? Thanks, Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On 18 December 2017 at 05:11, Stefan Bodewig wrote: > Hi > > first of all I'm +0. > > On 2017-12-15, Jochen Wiedmann wrote: > >> As a consequence, I'd like to question how others are handling this. >> Could we have a mailing list, like secur...@commons.apache.org, >> preferrably with subscription limited to private@ members, and >> secur...@apache.org subscribed automatically. (In theory, we could >> subscribe selected committers, too.) > > My guess is we won't get people subscribed who are familiar enough with > the code for every component. In the end the subscribers of the security > list will need to reach out to the private list to deal with the issues > so I'm not sure the new list would be helping much. But I won't stand in > the way. Even if (nearly) everyone on the PMC ends up being subscribed to the security list, IMO it should still help to keep track of issues. We cannot use standard JIRA or Bugzilla because they are public. So +1 from me. > Stefan > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
Hi first of all I'm +0. On 2017-12-15, Jochen Wiedmann wrote: > As a consequence, I'd like to question how others are handling this. > Could we have a mailing list, like secur...@commons.apache.org, > preferrably with subscription limited to private@ members, and > secur...@apache.org subscribed automatically. (In theory, we could > subscribe selected committers, too.) My guess is we won't get people subscribed who are familiar enough with the code for every component. In the end the subscribers of the security list will need to reach out to the private list to deal with the issues so I'm not sure the new list would be helping much. But I won't stand in the way. Stefan - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On 2017-12-17 16:07, Gary Gregory wrote: > I there a requirement to double post to s@a.o? If not switching from s@a.o > to s@c.a.o seems ok. I understand, that s@a.o can be subscribed to s@c.a.o, so there would be no need for double posting. [1] Jochen 1: https://issues.apache.org/jira/browse/INFRA-15671 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On Sun, Dec 17, 2017 at 6:47 PM, Gary Gregory wrote: > If they only post to s@a.o, then they will forward to s@c.a.o > > > Who will do this forwarding? The same persons, or mechanisms, which are forwarding to private @c.a.o now. Jochen -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On Dec 17, 2017 08:39, "sebb" wrote: On 17 December 2017 at 15:07, Gary Gregory wrote: > I there a requirement to double post to s@a.o? If not switching from s@a.o > to s@c.a.o seems ok. Huh? Not sure where the double post ref comes from. All security issues must be copied to s@a.o. This is done automatically if users post to s@c.a.o. If they only post to s@a.o, then they will forward to s@c.a.o Who will do this forwarding? Gary > Gary > > On Dec 17, 2017 03:31, "Jochen Wiedmann" wrote: > >> I think, that the topic would deserve a few more replies. >> >> Jochen >> >> >> On Fri, Dec 15, 2017 at 6:07 PM, sebb wrote: >> > On 15 December 2017 at 16:12, Matt Sicker wrote: >> >> There certainly are several ASF projects that have dedicated security@ >> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just >> email >> >> secur...@apache.org and then security@ would forward to the appropriate >> >> commons list? >> > >> > Either. >> > >> > If they mail security@a.o then they will forward to security@commons >> > >> > If they mail security@commons, then security@a.o is automatically >> copied. >> > >> >> On 15 December 2017 at 08:03, Gilles >> wrote: >> >> >> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >> >>> >> Hi, >> >> over the last months we have definitely seen our share of security >> related issues. However, I also noticed that we had a tendency to >> loose these threads in the overall noise, resulting in mails like "Did >> anyone reply to the reporter?" >> >> No, according to Linus Torvalds, that is perfectly fine, because a >> security issue is "just another bug". However, I am not Linus, and >> would like to see these things in a better state. >> >> As a consequence, I'd like to question how others are handling this. >> Could we have a mailing list, like secur...@commons.apache.org, >> >> >>> >> >>> +1 >> >>> >> >>> Gilles >> >>> >> >>> preferrably with subscription limited to private@ members, and >> secur...@apache.org subscribed automatically. (In theory, we could >> subscribe selected committers, too.) >> >> At the very least, this would allow us to create a filter for security >> related messages, thereby concentrate our attention. >> >> Jochen >> >> >>> >> >>> >> >>> - >> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> >>> For additional commands, e-mail: dev-h...@commons.apache.org >> >>> >> >>> >> >> >> >> >> >> -- >> >> Matt Sicker >> > >> > - >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> >> >> >> -- >> The next time you hear: "Don't reinvent the wheel!" >> >> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/ >> evolution-of-the-wheel-300x85.jpg >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On 17 December 2017 at 15:07, Gary Gregory wrote: > I there a requirement to double post to s@a.o? If not switching from s@a.o > to s@c.a.o seems ok. Huh? Not sure where the double post ref comes from. All security issues must be copied to s@a.o. This is done automatically if users post to s@c.a.o. If they only post to s@a.o, then they will forward to s@c.a.o > Gary > > On Dec 17, 2017 03:31, "Jochen Wiedmann" wrote: > >> I think, that the topic would deserve a few more replies. >> >> Jochen >> >> >> On Fri, Dec 15, 2017 at 6:07 PM, sebb wrote: >> > On 15 December 2017 at 16:12, Matt Sicker wrote: >> >> There certainly are several ASF projects that have dedicated security@ >> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just >> email >> >> secur...@apache.org and then security@ would forward to the appropriate >> >> commons list? >> > >> > Either. >> > >> > If they mail security@a.o then they will forward to security@commons >> > >> > If they mail security@commons, then security@a.o is automatically >> copied. >> > >> >> On 15 December 2017 at 08:03, Gilles >> wrote: >> >> >> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >> >>> >> Hi, >> >> over the last months we have definitely seen our share of security >> related issues. However, I also noticed that we had a tendency to >> loose these threads in the overall noise, resulting in mails like "Did >> anyone reply to the reporter?" >> >> No, according to Linus Torvalds, that is perfectly fine, because a >> security issue is "just another bug". However, I am not Linus, and >> would like to see these things in a better state. >> >> As a consequence, I'd like to question how others are handling this. >> Could we have a mailing list, like secur...@commons.apache.org, >> >> >>> >> >>> +1 >> >>> >> >>> Gilles >> >>> >> >>> preferrably with subscription limited to private@ members, and >> secur...@apache.org subscribed automatically. (In theory, we could >> subscribe selected committers, too.) >> >> At the very least, this would allow us to create a filter for security >> related messages, thereby concentrate our attention. >> >> Jochen >> >> >>> >> >>> >> >>> - >> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> >>> For additional commands, e-mail: dev-h...@commons.apache.org >> >>> >> >>> >> >> >> >> >> >> -- >> >> Matt Sicker >> > >> > - >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> >> >> >> -- >> The next time you hear: "Don't reinvent the wheel!" >> >> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/ >> evolution-of-the-wheel-300x85.jpg >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
I there a requirement to double post to s@a.o? If not switching from s@a.o to s@c.a.o seems ok. Gary On Dec 17, 2017 03:31, "Jochen Wiedmann" wrote: > I think, that the topic would deserve a few more replies. > > Jochen > > > On Fri, Dec 15, 2017 at 6:07 PM, sebb wrote: > > On 15 December 2017 at 16:12, Matt Sicker wrote: > >> There certainly are several ASF projects that have dedicated security@ > >> mailing lists (e.g., Tomcat has one). Would bug reporters still just > email > >> secur...@apache.org and then security@ would forward to the appropriate > >> commons list? > > > > Either. > > > > If they mail security@a.o then they will forward to security@commons > > > > If they mail security@commons, then security@a.o is automatically > copied. > > > >> On 15 December 2017 at 08:03, Gilles > wrote: > >> > >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: > >>> > Hi, > > over the last months we have definitely seen our share of security > related issues. However, I also noticed that we had a tendency to > loose these threads in the overall noise, resulting in mails like "Did > anyone reply to the reporter?" > > No, according to Linus Torvalds, that is perfectly fine, because a > security issue is "just another bug". However, I am not Linus, and > would like to see these things in a better state. > > As a consequence, I'd like to question how others are handling this. > Could we have a mailing list, like secur...@commons.apache.org, > > >>> > >>> +1 > >>> > >>> Gilles > >>> > >>> preferrably with subscription limited to private@ members, and > secur...@apache.org subscribed automatically. (In theory, we could > subscribe selected committers, too.) > > At the very least, this would allow us to create a filter for security > related messages, thereby concentrate our attention. > > Jochen > > >>> > >>> > >>> - > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>> For additional commands, e-mail: dev-h...@commons.apache.org > >>> > >>> > >> > >> > >> -- > >> Matt Sicker > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/ > evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Security mailing list
+0 or +1. Seems ok. > On Dec 17, 2017, at 7:21 AM, Jacques Le Roux > wrote: > > +1 > > Jacques > > >> Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit : >> +1 >> >> Le 17 déc. 2017 12:14, "Mark Thomas" a écrit : >> >>> On 15/12/2017 11:13, Jochen Wiedmann wrote: Hi, over the last months we have definitely seen our share of security related issues. However, I also noticed that we had a tendency to loose these threads in the overall noise, resulting in mails like "Did anyone reply to the reporter?" No, according to Linus Torvalds, that is perfectly fine, because a security issue is "just another bug". However, I am not Linus, and would like to see these things in a better state. As a consequence, I'd like to question how others are handling this. Could we have a mailing list, like secur...@commons.apache.org, preferrably with subscription limited to private@ members, and secur...@apache.org subscribed automatically. (In theory, we could subscribe selected committers, too.) >>> +1 >>> >>> Works for me. >>> >>> Mark >>> At the very least, this would allow us to create a filter for security related messages, thereby concentrate our attention. Jochen >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
+1 Jacques Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit : +1 Le 17 déc. 2017 12:14, "Mark Thomas" a écrit : On 15/12/2017 11:13, Jochen Wiedmann wrote: Hi, over the last months we have definitely seen our share of security related issues. However, I also noticed that we had a tendency to loose these threads in the overall noise, resulting in mails like "Did anyone reply to the reporter?" No, according to Linus Torvalds, that is perfectly fine, because a security issue is "just another bug". However, I am not Linus, and would like to see these things in a better state. As a consequence, I'd like to question how others are handling this. Could we have a mailing list, like secur...@commons.apache.org, preferrably with subscription limited to private@ members, and secur...@apache.org subscribed automatically. (In theory, we could subscribe selected committers, too.) +1 Works for me. Mark At the very least, this would allow us to create a filter for security related messages, thereby concentrate our attention. Jochen - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
+1 Le 17 déc. 2017 12:14, "Mark Thomas" a écrit : > On 15/12/2017 11:13, Jochen Wiedmann wrote: > > Hi, > > > > over the last months we have definitely seen our share of security > > related issues. However, I also noticed that we had a tendency to > > loose these threads in the overall noise, resulting in mails like "Did > > anyone reply to the reporter?" > > > > No, according to Linus Torvalds, that is perfectly fine, because a > > security issue is "just another bug". However, I am not Linus, and > > would like to see these things in a better state. > > > > As a consequence, I'd like to question how others are handling this. > > Could we have a mailing list, like secur...@commons.apache.org, > > preferrably with subscription limited to private@ members, and > > secur...@apache.org subscribed automatically. (In theory, we could > > subscribe selected committers, too.) > > +1 > > Works for me. > > Mark > > > > > At the very least, this would allow us to create a filter for security > > related messages, thereby concentrate our attention. > > > > Jochen > > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: Security mailing list
On 15/12/2017 11:13, Jochen Wiedmann wrote: > Hi, > > over the last months we have definitely seen our share of security > related issues. However, I also noticed that we had a tendency to > loose these threads in the overall noise, resulting in mails like "Did > anyone reply to the reporter?" > > No, according to Linus Torvalds, that is perfectly fine, because a > security issue is "just another bug". However, I am not Linus, and > would like to see these things in a better state. > > As a consequence, I'd like to question how others are handling this. > Could we have a mailing list, like secur...@commons.apache.org, > preferrably with subscription limited to private@ members, and > secur...@apache.org subscribed automatically. (In theory, we could > subscribe selected committers, too.) +1 Works for me. Mark > > At the very least, this would allow us to create a filter for security > related messages, thereby concentrate our attention. > > Jochen > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
I think, that the topic would deserve a few more replies. Jochen On Fri, Dec 15, 2017 at 6:07 PM, sebb wrote: > On 15 December 2017 at 16:12, Matt Sicker wrote: >> There certainly are several ASF projects that have dedicated security@ >> mailing lists (e.g., Tomcat has one). Would bug reporters still just email >> secur...@apache.org and then security@ would forward to the appropriate >> commons list? > > Either. > > If they mail security@a.o then they will forward to security@commons > > If they mail security@commons, then security@a.o is automatically copied. > >> On 15 December 2017 at 08:03, Gilles wrote: >> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >>> Hi, over the last months we have definitely seen our share of security related issues. However, I also noticed that we had a tendency to loose these threads in the overall noise, resulting in mails like "Did anyone reply to the reporter?" No, according to Linus Torvalds, that is perfectly fine, because a security issue is "just another bug". However, I am not Linus, and would like to see these things in a better state. As a consequence, I'd like to question how others are handling this. Could we have a mailing list, like secur...@commons.apache.org, >>> >>> +1 >>> >>> Gilles >>> >>> preferrably with subscription limited to private@ members, and secur...@apache.org subscribed automatically. (In theory, we could subscribe selected committers, too.) At the very least, this would allow us to create a filter for security related messages, thereby concentrate our attention. Jochen >>> >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> >> >> >> -- >> Matt Sicker > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
On 15 December 2017 at 16:12, Matt Sicker wrote: > There certainly are several ASF projects that have dedicated security@ > mailing lists (e.g., Tomcat has one). Would bug reporters still just email > secur...@apache.org and then security@ would forward to the appropriate > commons list? Either. If they mail security@a.o then they will forward to security@commons If they mail security@commons, then security@a.o is automatically copied. > On 15 December 2017 at 08:03, Gilles wrote: > >> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: >> >>> Hi, >>> >>> over the last months we have definitely seen our share of security >>> related issues. However, I also noticed that we had a tendency to >>> loose these threads in the overall noise, resulting in mails like "Did >>> anyone reply to the reporter?" >>> >>> No, according to Linus Torvalds, that is perfectly fine, because a >>> security issue is "just another bug". However, I am not Linus, and >>> would like to see these things in a better state. >>> >>> As a consequence, I'd like to question how others are handling this. >>> Could we have a mailing list, like secur...@commons.apache.org, >>> >> >> +1 >> >> Gilles >> >> preferrably with subscription limited to private@ members, and >>> secur...@apache.org subscribed automatically. (In theory, we could >>> subscribe selected committers, too.) >>> >>> At the very least, this would allow us to create a filter for security >>> related messages, thereby concentrate our attention. >>> >>> Jochen >>> >> >> >> - >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > > -- > Matt Sicker - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Security mailing list
There certainly are several ASF projects that have dedicated security@ mailing lists (e.g., Tomcat has one). Would bug reporters still just email secur...@apache.org and then security@ would forward to the appropriate commons list? On 15 December 2017 at 08:03, Gilles wrote: > On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: > >> Hi, >> >> over the last months we have definitely seen our share of security >> related issues. However, I also noticed that we had a tendency to >> loose these threads in the overall noise, resulting in mails like "Did >> anyone reply to the reporter?" >> >> No, according to Linus Torvalds, that is perfectly fine, because a >> security issue is "just another bug". However, I am not Linus, and >> would like to see these things in a better state. >> >> As a consequence, I'd like to question how others are handling this. >> Could we have a mailing list, like secur...@commons.apache.org, >> > > +1 > > Gilles > > preferrably with subscription limited to private@ members, and >> secur...@apache.org subscribed automatically. (In theory, we could >> subscribe selected committers, too.) >> >> At the very least, this would allow us to create a filter for security >> related messages, thereby concentrate our attention. >> >> Jochen >> > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Matt Sicker
Re: Security mailing list
On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote: Hi, over the last months we have definitely seen our share of security related issues. However, I also noticed that we had a tendency to loose these threads in the overall noise, resulting in mails like "Did anyone reply to the reporter?" No, according to Linus Torvalds, that is perfectly fine, because a security issue is "just another bug". However, I am not Linus, and would like to see these things in a better state. As a consequence, I'd like to question how others are handling this. Could we have a mailing list, like secur...@commons.apache.org, +1 Gilles preferrably with subscription limited to private@ members, and secur...@apache.org subscribed automatically. (In theory, we could subscribe selected committers, too.) At the very least, this would allow us to create a filter for security related messages, thereby concentrate our attention. Jochen - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org