Re: Security mailing list

2017-12-20 Thread sebb 
Anyone want to find/update the website references?

On 20 December 2017 at 14:13, sebb  wrote:
> BTW it's all set up now.
>
> On 19 December 2017 at 20:24, Jochen Wiedmann  
> wrote:
>> On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory  wrote:
>>> Request submitted!
>>
>> Thanks a lot!
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-20 Thread sebb 
BTW it's all set up now.

On 19 December 2017 at 20:24, Jochen Wiedmann  wrote:
> On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory  wrote:
>> Request submitted!
>
> Thanks a lot!
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread Jochen Wiedmann 
On Tue, Dec 19, 2017 at 6:47 PM, Gary Gregory  wrote:
> Request submitted!

Thanks a lot!

-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread Gary Gregory 
Request submitted!

Gary

On Tue, Dec 19, 2017 at 10:09 AM, Jochen Wiedmann  wrote:

> On Tue, Dec 19, 2017 at 5:22 PM, sebb  wrote:
>
> > selfserve.apache.org
>
>
> Access restricted to PMC chairs only!
>
> So, it looks like a task for Gary?
>
> Jochen
>
>
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
> evolution-of-the-wheel-300x85.jpg
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: Security mailing list

2017-12-19 Thread Jochen Wiedmann 
On Tue, Dec 19, 2017 at 5:22 PM, sebb  wrote:

> selfserve.apache.org


Access restricted to PMC chairs only!

So, it looks like a task for Gary?

Jochen



-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread sebb 
selfserve.apache.org



On 19 December 2017 at 13:58, Jochen Wiedmann  wrote:
> On Tue, Dec 19, 2017 at 2:05 PM, Mark Thomas  wrote:
>
>> Jira not required. Use The standard mailing list request form. If you 
>> request a security@ list the extra stuff (make it private, cc securiry@a.o 
>> on all mail) happens automatically.
>
> Thanks, Mark! But what is the "standard mailing list request form", please?
>
> Jochen
>
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread Jochen Wiedmann 
On Tue, Dec 19, 2017 at 2:05 PM, Mark Thomas  wrote:

> Jira not required. Use The standard mailing list request form. If you request 
> a security@ list the extra stuff (make it private, cc securiry@a.o on all 
> mail) happens automatically.

Thanks, Mark! But what is the "standard mailing list request form", please?

Jochen


-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread Mark Thomas 
On 19 December 2017 11:37:48 GMT+00:00, Jochen Wiedmann 
 wrote:
>Okay, in my opinion the response indicates, that my proposal is
>acceptable to all. Do we need a formal vote? (I hope not.) So, how do
>we proceed? Would it be okay for me to file a Jira issue?
>
>Thanks,
>
>Jochen

No need for a vote in my view.

Jira not required. Use The standard mailing list request form. If you request a 
security@ list the extra stuff (make it private, cc securiry@a.o on all mail) 
happens automatically.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-19 Thread Jochen Wiedmann 
Okay, in my opinion the response indicates, that my proposal is
acceptable to all. Do we need a formal vote? (I hope not.) So, how do
we proceed? Would it be okay for me to file a Jira issue?

Thanks,

Jochen



-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-18 Thread sebb 
On 18 December 2017 at 05:11, Stefan Bodewig  wrote:
> Hi
>
> first of all I'm +0.
>
> On 2017-12-15, Jochen Wiedmann wrote:
>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like secur...@commons.apache.org,
>> preferrably with subscription limited to private@ members, and
>> secur...@apache.org subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>
> My guess is we won't get people subscribed who are familiar enough with
> the code for every component. In the end the subscribers of the security
> list will need to reach out to the private list to deal with the issues
> so I'm not sure the new list would be helping much. But I won't stand in
> the way.

Even if (nearly) everyone on the PMC ends up being subscribed to the
security list, IMO it should still help to keep track of issues.
We cannot use standard JIRA or Bugzilla because they are public.

So +1 from me.

> Stefan
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Stefan Bodewig 
Hi

first of all I'm +0.

On 2017-12-15, Jochen Wiedmann wrote:

> As a consequence, I'd like to question how others are handling this.
> Could we have a mailing list, like secur...@commons.apache.org,
> preferrably with subscription limited to private@ members, and
> secur...@apache.org subscribed automatically. (In theory, we could
> subscribe selected committers, too.)

My guess is we won't get people subscribed who are familiar enough with
the code for every component. In the end the subscribers of the security
list will need to reach out to the private list to deal with the issues
so I'm not sure the new list would be helping much. But I won't stand in
the way.

Stefan

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Jochen Wiedmann 


On 2017-12-17 16:07, Gary Gregory  wrote: 
> I there a requirement to double post to s@a.o? If not switching from s@a.o
> to s@c.a.o seems ok.

I understand, that s@a.o can be subscribed to s@c.a.o, so there would be no 
need for double posting.
[1]

Jochen

1: https://issues.apache.org/jira/browse/INFRA-15671


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Jochen Wiedmann 
On Sun, Dec 17, 2017 at 6:47 PM, Gary Gregory  wrote:

> If they only post to s@a.o, then they will forward to s@c.a.o
>
>
> Who will do this forwarding?

The same persons, or mechanisms, which are forwarding to private @c.a.o now.


Jochen

-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Gary Gregory 
On Dec 17, 2017 08:39, "sebb"  wrote:

On 17 December 2017 at 15:07, Gary Gregory  wrote:
> I there a requirement to double post to s@a.o? If not switching from s@a.o
> to s@c.a.o seems ok.

Huh?
Not sure where the double post ref comes from.

All security issues must be copied to s@a.o.
This is done automatically if users post to s@c.a.o.

If they only post to s@a.o, then they will forward to s@c.a.o


Who will do this forwarding?

Gary


> Gary
>
> On Dec 17, 2017 03:31, "Jochen Wiedmann" 
wrote:
>
>> I think, that the topic would deserve a few more replies.
>>
>> Jochen
>>
>>
>> On Fri, Dec 15, 2017 at 6:07 PM, sebb  wrote:
>> > On 15 December 2017 at 16:12, Matt Sicker  wrote:
>> >> There certainly are several ASF projects that have dedicated security@
>> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
>> email
>> >> secur...@apache.org and then security@ would forward to the
appropriate
>> >> commons list?
>> >
>> > Either.
>> >
>> > If they mail security@a.o then they will forward to security@commons
>> >
>> > If they mail security@commons, then security@a.o is automatically
>> copied.
>> >
>> >> On 15 December 2017 at 08:03, Gilles 
>> wrote:
>> >>
>> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>> >>>
>>  Hi,
>> 
>>  over the last months we have definitely seen our share of security
>>  related issues. However, I also noticed that we had a tendency to
>>  loose these threads in the overall noise, resulting in mails like
"Did
>>  anyone reply to the reporter?"
>> 
>>  No, according to Linus Torvalds, that is perfectly fine, because a
>>  security issue is "just another bug". However, I am not Linus, and
>>  would like to see these things in a better state.
>> 
>>  As a consequence, I'd like to question how others are handling this.
>>  Could we have a mailing list, like secur...@commons.apache.org,
>> 
>> >>>
>> >>> +1
>> >>>
>> >>> Gilles
>> >>>
>> >>> preferrably with subscription limited to private@ members, and
>>  secur...@apache.org subscribed automatically. (In theory, we could
>>  subscribe selected committers, too.)
>> 
>>  At the very least, this would allow us to create a filter for
security
>>  related messages, thereby concentrate our attention.
>> 
>>  Jochen
>> 
>> >>>
>> >>>
>> >>> -
>> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> >>> For additional commands, e-mail: dev-h...@commons.apache.org
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matt Sicker 
>> >
>> > -
>> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> > For additional commands, e-mail: dev-h...@commons.apache.org
>> >
>>
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
>> evolution-of-the-wheel-300x85.jpg
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread sebb 
On 17 December 2017 at 15:07, Gary Gregory  wrote:
> I there a requirement to double post to s@a.o? If not switching from s@a.o
> to s@c.a.o seems ok.

Huh?
Not sure where the double post ref comes from.

All security issues must be copied to s@a.o.
This is done automatically if users post to s@c.a.o.

If they only post to s@a.o, then they will forward to s@c.a.o

> Gary
>
> On Dec 17, 2017 03:31, "Jochen Wiedmann"  wrote:
>
>> I think, that the topic would deserve a few more replies.
>>
>> Jochen
>>
>>
>> On Fri, Dec 15, 2017 at 6:07 PM, sebb  wrote:
>> > On 15 December 2017 at 16:12, Matt Sicker  wrote:
>> >> There certainly are several ASF projects that have dedicated security@
>> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
>> email
>> >> secur...@apache.org and then security@ would forward to the appropriate
>> >> commons list?
>> >
>> > Either.
>> >
>> > If they mail security@a.o then they will forward to security@commons
>> >
>> > If they mail security@commons, then security@a.o is automatically
>> copied.
>> >
>> >> On 15 December 2017 at 08:03, Gilles 
>> wrote:
>> >>
>> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>> >>>
>>  Hi,
>> 
>>  over the last months we have definitely seen our share of security
>>  related issues. However, I also noticed that we had a tendency to
>>  loose these threads in the overall noise, resulting in mails like "Did
>>  anyone reply to the reporter?"
>> 
>>  No, according to Linus Torvalds, that is perfectly fine, because a
>>  security issue is "just another bug". However, I am not Linus, and
>>  would like to see these things in a better state.
>> 
>>  As a consequence, I'd like to question how others are handling this.
>>  Could we have a mailing list, like secur...@commons.apache.org,
>> 
>> >>>
>> >>> +1
>> >>>
>> >>> Gilles
>> >>>
>> >>> preferrably with subscription limited to private@ members, and
>>  secur...@apache.org subscribed automatically. (In theory, we could
>>  subscribe selected committers, too.)
>> 
>>  At the very least, this would allow us to create a filter for security
>>  related messages, thereby concentrate our attention.
>> 
>>  Jochen
>> 
>> >>>
>> >>>
>> >>> -
>> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> >>> For additional commands, e-mail: dev-h...@commons.apache.org
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matt Sicker 
>> >
>> > -
>> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> > For additional commands, e-mail: dev-h...@commons.apache.org
>> >
>>
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
>> evolution-of-the-wheel-300x85.jpg
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Gary Gregory 
I there a requirement to double post to s@a.o? If not switching from s@a.o
to s@c.a.o seems ok.

Gary

On Dec 17, 2017 03:31, "Jochen Wiedmann"  wrote:

> I think, that the topic would deserve a few more replies.
>
> Jochen
>
>
> On Fri, Dec 15, 2017 at 6:07 PM, sebb  wrote:
> > On 15 December 2017 at 16:12, Matt Sicker  wrote:
> >> There certainly are several ASF projects that have dedicated security@
> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
> email
> >> secur...@apache.org and then security@ would forward to the appropriate
> >> commons list?
> >
> > Either.
> >
> > If they mail security@a.o then they will forward to security@commons
> >
> > If they mail security@commons, then security@a.o is automatically
> copied.
> >
> >> On 15 December 2017 at 08:03, Gilles 
> wrote:
> >>
> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
> >>>
>  Hi,
> 
>  over the last months we have definitely seen our share of security
>  related issues. However, I also noticed that we had a tendency to
>  loose these threads in the overall noise, resulting in mails like "Did
>  anyone reply to the reporter?"
> 
>  No, according to Linus Torvalds, that is perfectly fine, because a
>  security issue is "just another bug". However, I am not Linus, and
>  would like to see these things in a better state.
> 
>  As a consequence, I'd like to question how others are handling this.
>  Could we have a mailing list, like secur...@commons.apache.org,
> 
> >>>
> >>> +1
> >>>
> >>> Gilles
> >>>
> >>> preferrably with subscription limited to private@ members, and
>  secur...@apache.org subscribed automatically. (In theory, we could
>  subscribe selected committers, too.)
> 
>  At the very least, this would allow us to create a filter for security
>  related messages, thereby concentrate our attention.
> 
>  Jochen
> 
> >>>
> >>>
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> >>> For additional commands, e-mail: dev-h...@commons.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> Matt Sicker 
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
>
>
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
> evolution-of-the-wheel-300x85.jpg
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: Security mailing list

2017-12-17 Thread Rob Tompkins 
+0 or +1. Seems ok.

> On Dec 17, 2017, at 7:21 AM, Jacques Le Roux  
> wrote:
> 
> +1
> 
> Jacques
> 
> 
>> Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit :
>> +1
>> 
>> Le 17 déc. 2017 12:14, "Mark Thomas"  a écrit :
>> 
>>> On 15/12/2017 11:13, Jochen Wiedmann wrote:
 Hi,
 
 over the last months we have definitely seen our share of security
 related issues. However, I also noticed that we had a tendency to
 loose these threads in the overall noise, resulting in mails like "Did
 anyone reply to the reporter?"
 
 No, according to Linus Torvalds, that is perfectly fine, because a
 security issue is "just another bug". However, I am not Linus, and
 would like to see these things in a better state.
 
 As a consequence, I'd like to question how others are handling this.
 Could we have a mailing list, like secur...@commons.apache.org,
 preferrably with subscription limited to private@ members, and
 secur...@apache.org subscribed automatically. (In theory, we could
 subscribe selected committers, too.)
>>> +1
>>> 
>>> Works for me.
>>> 
>>> Mark
>>> 
 At the very least, this would allow us to create a filter for security
 related messages, thereby concentrate our attention.
 
 Jochen
 
 
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>> 
>>> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
> 

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Jacques Le Roux 

+1

Jacques


Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit :

+1

Le 17 déc. 2017 12:14, "Mark Thomas"  a écrit :


On 15/12/2017 11:13, Jochen Wiedmann wrote:

Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like "Did
anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like secur...@commons.apache.org,
preferrably with subscription limited to private@ members, and
secur...@apache.org subscribed automatically. (In theory, we could
subscribe selected committers, too.)

+1

Works for me.

Mark


At the very least, this would allow us to create a filter for security
related messages, thereby concentrate our attention.

Jochen




-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org





-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Romain Manni-Bucau 
+1

Le 17 déc. 2017 12:14, "Mark Thomas"  a écrit :

> On 15/12/2017 11:13, Jochen Wiedmann wrote:
> > Hi,
> >
> > over the last months we have definitely seen our share of security
> > related issues. However, I also noticed that we had a tendency to
> > loose these threads in the overall noise, resulting in mails like "Did
> > anyone reply to the reporter?"
> >
> > No, according to Linus Torvalds, that is perfectly fine, because a
> > security issue is "just another bug". However, I am not Linus, and
> > would like to see these things in a better state.
> >
> > As a consequence, I'd like to question how others are handling this.
> > Could we have a mailing list, like secur...@commons.apache.org,
> > preferrably with subscription limited to private@ members, and
> > secur...@apache.org subscribed automatically. (In theory, we could
> > subscribe selected committers, too.)
>
> +1
>
> Works for me.
>
> Mark
>
> >
> > At the very least, this would allow us to create a filter for security
> > related messages, thereby concentrate our attention.
> >
> > Jochen
> >
> >
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: Security mailing list

2017-12-17 Thread Mark Thomas 
On 15/12/2017 11:13, Jochen Wiedmann wrote:
> Hi,
> 
> over the last months we have definitely seen our share of security
> related issues. However, I also noticed that we had a tendency to
> loose these threads in the overall noise, resulting in mails like "Did
> anyone reply to the reporter?"
> 
> No, according to Linus Torvalds, that is perfectly fine, because a
> security issue is "just another bug". However, I am not Linus, and
> would like to see these things in a better state.
> 
> As a consequence, I'd like to question how others are handling this.
> Could we have a mailing list, like secur...@commons.apache.org,
> preferrably with subscription limited to private@ members, and
> secur...@apache.org subscribed automatically. (In theory, we could
> subscribe selected committers, too.)

+1

Works for me.

Mark

> 
> At the very least, this would allow us to create a filter for security
> related messages, thereby concentrate our attention.
> 
> Jochen
> 
> 


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-17 Thread Jochen Wiedmann 
I think, that the topic would deserve a few more replies.

Jochen


On Fri, Dec 15, 2017 at 6:07 PM, sebb  wrote:
> On 15 December 2017 at 16:12, Matt Sicker  wrote:
>> There certainly are several ASF projects that have dedicated security@
>> mailing lists (e.g., Tomcat has one). Would bug reporters still just email
>> secur...@apache.org and then security@ would forward to the appropriate
>> commons list?
>
> Either.
>
> If they mail security@a.o then they will forward to security@commons
>
> If they mail security@commons, then security@a.o is automatically copied.
>
>> On 15 December 2017 at 08:03, Gilles  wrote:
>>
>>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>>
 Hi,

 over the last months we have definitely seen our share of security
 related issues. However, I also noticed that we had a tendency to
 loose these threads in the overall noise, resulting in mails like "Did
 anyone reply to the reporter?"

 No, according to Linus Torvalds, that is perfectly fine, because a
 security issue is "just another bug". However, I am not Linus, and
 would like to see these things in a better state.

 As a consequence, I'd like to question how others are handling this.
 Could we have a mailing list, like secur...@commons.apache.org,

>>>
>>> +1
>>>
>>> Gilles
>>>
>>> preferrably with subscription limited to private@ members, and
 secur...@apache.org subscribed automatically. (In theory, we could
 subscribe selected committers, too.)

 At the very least, this would allow us to create a filter for security
 related messages, thereby concentrate our attention.

 Jochen

>>>
>>>
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>>
>>>
>>
>>
>> --
>> Matt Sicker 
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>



-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-15 Thread sebb 
On 15 December 2017 at 16:12, Matt Sicker  wrote:
> There certainly are several ASF projects that have dedicated security@
> mailing lists (e.g., Tomcat has one). Would bug reporters still just email
> secur...@apache.org and then security@ would forward to the appropriate
> commons list?

Either.

If they mail security@a.o then they will forward to security@commons

If they mail security@commons, then security@a.o is automatically copied.

> On 15 December 2017 at 08:03, Gilles  wrote:
>
>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>>> Hi,
>>>
>>> over the last months we have definitely seen our share of security
>>> related issues. However, I also noticed that we had a tendency to
>>> loose these threads in the overall noise, resulting in mails like "Did
>>> anyone reply to the reporter?"
>>>
>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>> security issue is "just another bug". However, I am not Linus, and
>>> would like to see these things in a better state.
>>>
>>> As a consequence, I'd like to question how others are handling this.
>>> Could we have a mailing list, like secur...@commons.apache.org,
>>>
>>
>> +1
>>
>> Gilles
>>
>> preferrably with subscription limited to private@ members, and
>>> secur...@apache.org subscribed automatically. (In theory, we could
>>> subscribe selected committers, too.)
>>>
>>> At the very least, this would allow us to create a filter for security
>>> related messages, thereby concentrate our attention.
>>>
>>> Jochen
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
>
>
> --
> Matt Sicker 

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-15 Thread Matt Sicker 
There certainly are several ASF projects that have dedicated security@
mailing lists (e.g., Tomcat has one). Would bug reporters still just email
secur...@apache.org and then security@ would forward to the appropriate
commons list?

On 15 December 2017 at 08:03, Gilles  wrote:

> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>
>> Hi,
>>
>> over the last months we have definitely seen our share of security
>> related issues. However, I also noticed that we had a tendency to
>> loose these threads in the overall noise, resulting in mails like "Did
>> anyone reply to the reporter?"
>>
>> No, according to Linus Torvalds, that is perfectly fine, because a
>> security issue is "just another bug". However, I am not Linus, and
>> would like to see these things in a better state.
>>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like secur...@commons.apache.org,
>>
>
> +1
>
> Gilles
>
> preferrably with subscription limited to private@ members, and
>> secur...@apache.org subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>>
>> At the very least, this would allow us to create a filter for security
>> related messages, thereby concentrate our attention.
>>
>> Jochen
>>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>


-- 
Matt Sicker

Re: [All] Finer-grained MLs (Was: Security mailing list)

2017-12-15 Thread sebb 
On 15 December 2017 at 14:08, Gilles  wrote:
> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>> [...]
>> Could we have a mailing list, like secur...@commons.apache.org,
>> [...]
>
>
> I'd like to expand the suggestion: make component-specific MLs for
> automatically generated messages (GitHub, JIRA, Nexus) so that people
> not actively involved in the development of  are not
> overwhelmed by posts that are always to be deleted (in which case it
> is rather more efficient to avoid sending it in the first place).

-1

For the same reason that commit messages are of concern to all Commons
developers.

Such messages are easy enough to filter if required.

> Of course, this opt-out would not concern "commit" messages.
>
> Gilles
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[All] Finer-grained MLs (Was: Security mailing list)

2017-12-15 Thread Gilles 

On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:

[...]
Could we have a mailing list, like secur...@commons.apache.org,
[...]


I'd like to expand the suggestion: make component-specific MLs for
automatically generated messages (GitHub, JIRA, Nexus) so that people
not actively involved in the development of  are not
overwhelmed by posts that are always to be deleted (in which case it
is rather more efficient to avoid sending it in the first place).

Of course, this opt-out would not concern "commit" messages.

Gilles


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

2017-12-15 Thread Gilles 

On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:

Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like 
"Did

anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like secur...@commons.apache.org,


+1

Gilles


preferrably with subscription limited to private@ members, and
secur...@apache.org subscribed automatically. (In theory, we could
subscribe selected committers, too.)

At the very least, this would allow us to create a filter for 
security

related messages, thereby concentrate our attention.

Jochen



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Security mailing list

2017-12-15 Thread Jochen Wiedmann 
Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like "Did
anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like secur...@commons.apache.org,
preferrably with subscription limited to private@ members, and
secur...@apache.org subscribed automatically. (In theory, we could
subscribe selected committers, too.)

At the very least, this would allow us to create a filter for security
related messages, thereby concentrate our attention.

Jochen


-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org