On Jan 19, 2009, at 9:14 AM, Donald Woods wrote:
There was a long discussion around mid-December on the private and
security Geronimo mailing lists about how to handle security
vulnerabilities. The outcome of that discussion (which is mainly a
boilerplate suggested by Mark Thomas for all projects to use) can be
found on our Project Policies wiki page at -
http://cwiki.apache.org/GMOxPMGT/geronimo-project-policies.html
If you see anything that needs changing or information that needs to
be added, then please discuss on this thread.
The only question I had concerned step 6. Should the fix be discussed
on security@ and/or priv...@? It needs to be on a "private" list, to
properly embargo the vulnerability until a fix is available. Since
most of the discussions of the issue occur on secur...@geronimo, I
think discussion of the fix is most appropriate there.
Thoughts?
--kevan