[DISCUSS] Security Vulnerability Policy created
There was a long discussion around mid-December on the private and security Geronimo mailing lists about how to handle security vulnerabilities. The outcome of that discussion (which is mainly a boilerplate suggested by Mark Thomas for all projects to use) can be found on our Project Policies wiki page at - http://cwiki.apache.org/GMOxPMGT/geronimo-project-policies.html If you see anything that needs changing or information that needs to be added, then please discuss on this thread. Thanks, Apache Geronimo PMC
Re: [DISCUSS] Security Vulnerability Policy created
On Jan 19, 2009, at 9:14 AM, Donald Woods wrote: There was a long discussion around mid-December on the private and security Geronimo mailing lists about how to handle security vulnerabilities. The outcome of that discussion (which is mainly a boilerplate suggested by Mark Thomas for all projects to use) can be found on our Project Policies wiki page at - http://cwiki.apache.org/GMOxPMGT/geronimo-project-policies.html If you see anything that needs changing or information that needs to be added, then please discuss on this thread. The only question I had concerned step 6. Should the fix be discussed on security@ and/or priv...@? It needs to be on a private list, to properly embargo the vulnerability until a fix is available. Since most of the discussions of the issue occur on secur...@geronimo, I think discussion of the fix is most appropriate there. Thoughts? --kevan
Re: [DISCUSS] Security Vulnerability Policy created
Sounds good to me. Should step #8 include a post to the private@ list, so other PMC members will have some history behind the fixes being checked into svn in step #9? -Donald Kevan Miller wrote: On Jan 19, 2009, at 9:14 AM, Donald Woods wrote: There was a long discussion around mid-December on the private and security Geronimo mailing lists about how to handle security vulnerabilities. The outcome of that discussion (which is mainly a boilerplate suggested by Mark Thomas for all projects to use) can be found on our Project Policies wiki page at - http://cwiki.apache.org/GMOxPMGT/geronimo-project-policies.html If you see anything that needs changing or information that needs to be added, then please discuss on this thread. The only question I had concerned step 6. Should the fix be discussed on security@ and/or priv...@? It needs to be on a private list, to properly embargo the vulnerability until a fix is available. Since most of the discussions of the issue occur on secur...@geronimo, I think discussion of the fix is most appropriate there. Thoughts? --kevan