OFBiz OFBiz - Dev

[VOTE] Create the "security" mailing list for the OFBiz project

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Jacopo Cappellato-5
Reply | Threaded
Open this post in threaded view
|

[VOTE] Create the "security" mailing list for the OFBiz project

Jacopo Cappellato-5
Rationale: every ASF project needs a private list to discuss product
vulnerabilities; for OFBiz the "private" list has been used for this
purpose until now; however an ad-hoc list may be useful because it could
provide a more focused space to discuss the security issues and could
provide more flexibility to invite in the private list persons willing to
help that are trusted by the PMC.

Please vote,

+1

to create a "security" list (i.e. [hidden email]) and move all
the security related discussions and notifications currently happening on
the private list to this new list: according to the ASF policies [*] the
list will be a private list used by the persons willing to help to resolve
security issues; the list of subscribers will be approved by the OFBiz PMC.

Otherwise vote -1 to continue to use the "private" mailing list for
vulnerability handling.

[*] http://www.apache.org/security/
Michael Brohl-3
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Michael Brohl-3
+1

The "private" mailing list is only for PMC members of the project?

Regards,
Michael Brohl
ecomify GmbH
www.ecomify.de


Am 24.07.16 um 14:32 schrieb Jacopo Cappellato:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>


smime.p7s (5K) Download Attachment
gregory draperi
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

gregory draperi
In reply to this post by Jacopo Cappellato-5
+1

2016-07-24 14:32 GMT+02:00 Jacopo Cappellato <
[hidden email]>:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>



--
Grégory Draperi
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacques Le Roux
Administrator
In reply to this post by Michael Brohl-3
Yes Michael.

+1 for me also for the security list

I noted that this will allow your contact info to be published here: https://www.apache.org/security/projects.html

Thanks

Jacques


Le 24/07/2016 à 14:43, Michael Brohl a écrit :

> +1
>
> The "private" mailing list is only for PMC members of the project?
>
> Regards,
> Michael Brohl
> ecomify GmbH
> www.ecomify.de
>
>
> Am 24.07.16 um 14:32 schrieb Jacopo Cappellato:
>> Rationale: every ASF project needs a private list to discuss product
>> vulnerabilities; for OFBiz the "private" list has been used for this
>> purpose until now; however an ad-hoc list may be useful because it could
>> provide a more focused space to discuss the security issues and could
>> provide more flexibility to invite in the private list persons willing to
>> help that are trusted by the PMC.
>>
>> Please vote,
>>
>> +1
>>
>> to create a "security" list (i.e. [hidden email]) and move all
>> the security related discussions and notifications currently happening on
>> the private list to this new list: according to the ASF policies [*] the
>> list will be a private list used by the persons willing to help to resolve
>> security issues; the list of subscribers will be approved by the OFBiz PMC.
>>
>> Otherwise vote -1 to continue to use the "private" mailing list for
>> vulnerability handling.
>>
>> [*] http://www.apache.org/security/
>>
>
>

Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacques Le Roux
Administrator
Le 24/07/2016 à 14:55, Jacques Le Roux a écrit :
> Yes Michael.
>
> +1 for me also for the security list
>
> I noted that this will allow your contact info to be published here: https://www.apache.org/security/projects.html
Typo, it's : our contact info
Jacques

>
> Thanks
>
> Jacques
>
>
> Le 24/07/2016 à 14:43, Michael Brohl a écrit :
>> +1
>>
>> The "private" mailing list is only for PMC members of the project?
>>
>> Regards,
>> Michael Brohl
>> ecomify GmbH
>> www.ecomify.de
>>
>>
>> Am 24.07.16 um 14:32 schrieb Jacopo Cappellato:
>>> Rationale: every ASF project needs a private list to discuss product
>>> vulnerabilities; for OFBiz the "private" list has been used for this
>>> purpose until now; however an ad-hoc list may be useful because it could
>>> provide a more focused space to discuss the security issues and could
>>> provide more flexibility to invite in the private list persons willing to
>>> help that are trusted by the PMC.
>>>
>>> Please vote,
>>>
>>> +1
>>>
>>> to create a "security" list (i.e. [hidden email]) and move all
>>> the security related discussions and notifications currently happening on
>>> the private list to this new list: according to the ASF policies [*] the
>>> list will be a private list used by the persons willing to help to resolve
>>> security issues; the list of subscribers will be approved by the OFBiz PMC.
>>>
>>> Otherwise vote -1 to continue to use the "private" mailing list for
>>> vulnerability handling.
>>>
>>> [*] http://www.apache.org/security/
>>>
>>
>>
>
>

taher
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

taher
+1 good idea

On Jul 24, 2016 3:56 PM, "Jacques Le Roux" <[hidden email]>
wrote:

Le 24/07/2016 à 14:55, Jacques Le Roux a écrit :

> Yes Michael.
>
> +1 for me also for the security list
>
> I noted that this will allow your contact info to be published here:
> https://www.apache.org/security/projects.html
>
Typo, it's : our contact info
Jacques


> Thanks
>
> Jacques
>
>
> Le 24/07/2016 à 14:43, Michael Brohl a écrit :
>
>> +1
>>
>> The "private" mailing list is only for PMC members of the project?
>>
>> Regards,
>> Michael Brohl
>> ecomify GmbH
>> www.ecomify.de
>>
>>
>> Am 24.07.16 um 14:32 schrieb Jacopo Cappellato:
>>
>>> Rationale: every ASF project needs a private list to discuss product
>>> vulnerabilities; for OFBiz the "private" list has been used for this
>>> purpose until now; however an ad-hoc list may be useful because it could
>>> provide a more focused space to discuss the security issues and could
>>> provide more flexibility to invite in the private list persons willing to
>>> help that are trusted by the PMC.
>>>
>>> Please vote,
>>>
>>> +1
>>>
>>> to create a "security" list (i.e. [hidden email]) and move
>>> all
>>> the security related discussions and notifications currently happening on
>>> the private list to this new list: according to the ASF policies [*] the
>>> list will be a private list used by the persons willing to help to
>>> resolve
>>> security issues; the list of subscribers will be approved by the OFBiz
>>> PMC.
>>>
>>> Otherwise vote -1 to continue to use the "private" mailing list for
>>> vulnerability handling.
>>>
>>> [*] http://www.apache.org/security/
>>>
>>>
>>
>>
>
>
Gil Portenseigne
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Gil Portenseigne
In reply to this post by Jacopo Cappellato-5
+1

On 24/07/2016 14:32, Jacopo Cappellato wrote:
Rationale: every ASF project needs a private list to discuss product
vulnerabilities; for OFBiz the "private" list has been used for this
purpose until now; however an ad-hoc list may be useful because it could
provide a more focused space to discuss the security issues and could
provide more flexibility to invite in the private list persons willing to
help that are trusted by the PMC.

Please vote,

+1

to create a "security" list (i.e. [hidden email]) and move all
the security related discussions and notifications currently happening on
the private list to this new list: according to the ASF policies [*] the
list will be a private list used by the persons willing to help to resolve
security issues; the list of subscribers will be approved by the OFBiz PMC.

Otherwise vote -1 to continue to use the "private" mailing list for
vulnerability handling.

[*] http://www.apache.org/security/

Sharan-F
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Sharan-F
In reply to this post by Jacopo Cappellato-5
+1

Thanks
Sharan

On 24/07/16 14:32, Jacopo Cappellato wrote:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>

Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Mmm... I must also add that ASF members have access to other PMCs private MLs

Jacques


Le 24/07/2016 à 14:56, Jacques Le Roux a écrit :
> Le 24/07/2016 à 14:55, Jacques Le Roux a écrit :
>> Yes Michael.
>>
>> Le 24/07/2016 à 14:43, Michael Brohl a écrit :
>>> The "private" mailing list is only for PMC members of the project?

Julien NICOLAS
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Julien NICOLAS
In reply to this post by Jacopo Cappellato-5
+1


On 24/07/2016 14:32, Jacopo Cappellato wrote:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>

Ashish Vijaywargiya-4
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Ashish Vijaywargiya-4
In reply to this post by Jacopo Cappellato-5
+1

--
Kind Regards
Ashish Vijaywargiya
HotWax Systems - est. 1997


On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
[hidden email]> wrote:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>
Scott Gray-3
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Scott Gray-3
Do we actually need a separate mailing list, or should it just forward to
private@?

Regards
Scott

On 25 July 2016 at 15:58, Ashish Vijaywargiya <
[hidden email]> wrote:

> +1
>
> --
> Kind Regards
> Ashish Vijaywargiya
> HotWax Systems - est. 1997
>
>
> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> [hidden email]> wrote:
>
> > Rationale: every ASF project needs a private list to discuss product
> > vulnerabilities; for OFBiz the "private" list has been used for this
> > purpose until now; however an ad-hoc list may be useful because it could
> > provide a more focused space to discuss the security issues and could
> > provide more flexibility to invite in the private list persons willing to
> > help that are trusted by the PMC.
> >
> > Please vote,
> >
> > +1
> >
> > to create a "security" list (i.e. [hidden email]) and move
> all
> > the security related discussions and notifications currently happening on
> > the private list to this new list: according to the ASF policies [*] the
> > list will be a private list used by the persons willing to help to
> resolve
> > security issues; the list of subscribers will be approved by the OFBiz
> PMC.
> >
> > Otherwise vote -1 to continue to use the "private" mailing list for
> > vulnerability handling.
> >
> > [*] http://www.apache.org/security/
> >
>
Deepak Dixit-3
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Deepak Dixit-3
+1

Thanks & Regards
--
Deepak Dixit
www.hotwaxsystems.com

On Mon, Jul 25, 2016 at 10:08 AM, Scott Gray <[hidden email]>
wrote:

> Do we actually need a separate mailing list, or should it just forward to
> private@?
>
> Regards
> Scott
>
> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> [hidden email]> wrote:
>
> > +1
> >
> > --
> > Kind Regards
> > Ashish Vijaywargiya
> > HotWax Systems - est. 1997
> >
> >
> > On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> > [hidden email]> wrote:
> >
> > > Rationale: every ASF project needs a private list to discuss product
> > > vulnerabilities; for OFBiz the "private" list has been used for this
> > > purpose until now; however an ad-hoc list may be useful because it
> could
> > > provide a more focused space to discuss the security issues and could
> > > provide more flexibility to invite in the private list persons willing
> to
> > > help that are trusted by the PMC.
> > >
> > > Please vote,
> > >
> > > +1
> > >
> > > to create a "security" list (i.e. [hidden email]) and move
> > all
> > > the security related discussions and notifications currently happening
> on
> > > the private list to this new list: according to the ASF policies [*]
> the
> > > list will be a private list used by the persons willing to help to
> > resolve
> > > security issues; the list of subscribers will be approved by the OFBiz
> > PMC.
> > >
> > > Otherwise vote -1 to continue to use the "private" mailing list for
> > > vulnerability handling.
> > >
> > > [*] http://www.apache.org/security/
> > >
> >
>
Nicolas Malin-2
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Nicolas Malin-2
In reply to this post by Jacopo Cappellato-5
+1

Le 24/07/2016 à 14:32, Jacopo Cappellato a écrit :

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>

Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacques Le Roux
Administrator
In reply to this post by Scott Gray-3
I guess we need at least a separate list to grant access to non OFBiz-PMC/ASF members

Jacques


Le 25/07/2016 à 06:38, Scott Gray a écrit :

> Do we actually need a separate mailing list, or should it just forward to
> private@?
>
> Regards
> Scott
>
> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> [hidden email]> wrote:
>
>> +1
>>
>> --
>> Kind Regards
>> Ashish Vijaywargiya
>> HotWax Systems - est. 1997
>>
>>
>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
>> [hidden email]> wrote:
>>
>>> Rationale: every ASF project needs a private list to discuss product
>>> vulnerabilities; for OFBiz the "private" list has been used for this
>>> purpose until now; however an ad-hoc list may be useful because it could
>>> provide a more focused space to discuss the security issues and could
>>> provide more flexibility to invite in the private list persons willing to
>>> help that are trusted by the PMC.
>>>
>>> Please vote,
>>>
>>> +1
>>>
>>> to create a "security" list (i.e. [hidden email]) and move
>> all
>>> the security related discussions and notifications currently happening on
>>> the private list to this new list: according to the ASF policies [*] the
>>> list will be a private list used by the persons willing to help to
>> resolve
>>> security issues; the list of subscribers will be approved by the OFBiz
>> PMC.
>>> Otherwise vote -1 to continue to use the "private" mailing list for
>>> vulnerability handling.
>>>
>>> [*] http://www.apache.org/security/
>>>

Scott Gray-3
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Scott Gray-3
Why would we do that?  Security concerns are the responsibility of the PMC
and supposed to be kept confidential until resolved aren't they?

On 25 July 2016 at 20:31, Jacques Le Roux <[hidden email]>
wrote:

> I guess we need at least a separate list to grant access to non
> OFBiz-PMC/ASF members
>
> Jacques
>
>
>
> Le 25/07/2016 à 06:38, Scott Gray a écrit :
>
>> Do we actually need a separate mailing list, or should it just forward to
>> private@?
>>
>> Regards
>> Scott
>>
>> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
>> [hidden email]> wrote:
>>
>> +1
>>>
>>> --
>>> Kind Regards
>>> Ashish Vijaywargiya
>>> HotWax Systems - est. 1997
>>>
>>>
>>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
>>> [hidden email]> wrote:
>>>
>>> Rationale: every ASF project needs a private list to discuss product
>>>> vulnerabilities; for OFBiz the "private" list has been used for this
>>>> purpose until now; however an ad-hoc list may be useful because it could
>>>> provide a more focused space to discuss the security issues and could
>>>> provide more flexibility to invite in the private list persons willing
>>>> to
>>>> help that are trusted by the PMC.
>>>>
>>>> Please vote,
>>>>
>>>> +1
>>>>
>>>> to create a "security" list (i.e. [hidden email]) and move
>>>>
>>> all
>>>
>>>> the security related discussions and notifications currently happening
>>>> on
>>>> the private list to this new list: according to the ASF policies [*] the
>>>> list will be a private list used by the persons willing to help to
>>>>
>>> resolve
>>>
>>>> security issues; the list of subscribers will be approved by the OFBiz
>>>>
>>> PMC.
>>>
>>>> Otherwise vote -1 to continue to use the "private" mailing list for
>>>> vulnerability handling.
>>>>
>>>> [*] http://www.apache.org/security/
>>>>
>>>>
>
gregory draperi
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

gregory draperi
On my side I voted +1 as I thing it would be easier for me to follow
security topics with a dedicated list.
Furthermore, I don't need to be added to the private list as I don't
need/want to be part of strategy or main orientations discussions for Ofbiz.


2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]>:

> Why would we do that?  Security concerns are the responsibility of the PMC
> and supposed to be kept confidential until resolved aren't they?
>
> On 25 July 2016 at 20:31, Jacques Le Roux <[hidden email]>
> wrote:
>
> > I guess we need at least a separate list to grant access to non
> > OFBiz-PMC/ASF members
> >
> > Jacques
> >
> >
> >
> > Le 25/07/2016 à 06:38, Scott Gray a écrit :
> >
> >> Do we actually need a separate mailing list, or should it just forward
> to
> >> private@?
> >>
> >> Regards
> >> Scott
> >>
> >> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> >> [hidden email]> wrote:
> >>
> >> +1
> >>>
> >>> --
> >>> Kind Regards
> >>> Ashish Vijaywargiya
> >>> HotWax Systems - est. 1997
> >>>
> >>>
> >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> >>> [hidden email]> wrote:
> >>>
> >>> Rationale: every ASF project needs a private list to discuss product
> >>>> vulnerabilities; for OFBiz the "private" list has been used for this
> >>>> purpose until now; however an ad-hoc list may be useful because it
> could
> >>>> provide a more focused space to discuss the security issues and could
> >>>> provide more flexibility to invite in the private list persons willing
> >>>> to
> >>>> help that are trusted by the PMC.
> >>>>
> >>>> Please vote,
> >>>>
> >>>> +1
> >>>>
> >>>> to create a "security" list (i.e. [hidden email]) and move
> >>>>
> >>> all
> >>>
> >>>> the security related discussions and notifications currently happening
> >>>> on
> >>>> the private list to this new list: according to the ASF policies [*]
> the
> >>>> list will be a private list used by the persons willing to help to
> >>>>
> >>> resolve
> >>>
> >>>> security issues; the list of subscribers will be approved by the OFBiz
> >>>>
> >>> PMC.
> >>>
> >>>> Otherwise vote -1 to continue to use the "private" mailing list for
> >>>> vulnerability handling.
> >>>>
> >>>> [*] http://www.apache.org/security/
> >>>>
> >>>>
> >
>



--
Grégory Draperi
Scott Gray-3
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Scott Gray-3
Ok I had a read of http://www.apache.org/security/committers.html and I see
how it works.  Looks like PMC is the default alternative "security team"
when a security list doesn't exist.

On 25 July 2016 at 21:31, gregory draperi <[hidden email]> wrote:

> On my side I voted +1 as I thing it would be easier for me to follow
> security topics with a dedicated list.
> Furthermore, I don't need to be added to the private list as I don't
> need/want to be part of strategy or main orientations discussions for
> Ofbiz.
>
>
> 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]>:
>
> > Why would we do that?  Security concerns are the responsibility of the
> PMC
> > and supposed to be kept confidential until resolved aren't they?
> >
> > On 25 July 2016 at 20:31, Jacques Le Roux <[hidden email]>
> > wrote:
> >
> > > I guess we need at least a separate list to grant access to non
> > > OFBiz-PMC/ASF members
> > >
> > > Jacques
> > >
> > >
> > >
> > > Le 25/07/2016 à 06:38, Scott Gray a écrit :
> > >
> > >> Do we actually need a separate mailing list, or should it just forward
> > to
> > >> private@?
> > >>
> > >> Regards
> > >> Scott
> > >>
> > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> > >> [hidden email]> wrote:
> > >>
> > >> +1
> > >>>
> > >>> --
> > >>> Kind Regards
> > >>> Ashish Vijaywargiya
> > >>> HotWax Systems - est. 1997
> > >>>
> > >>>
> > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> > >>> [hidden email]> wrote:
> > >>>
> > >>> Rationale: every ASF project needs a private list to discuss product
> > >>>> vulnerabilities; for OFBiz the "private" list has been used for this
> > >>>> purpose until now; however an ad-hoc list may be useful because it
> > could
> > >>>> provide a more focused space to discuss the security issues and
> could
> > >>>> provide more flexibility to invite in the private list persons
> willing
> > >>>> to
> > >>>> help that are trusted by the PMC.
> > >>>>
> > >>>> Please vote,
> > >>>>
> > >>>> +1
> > >>>>
> > >>>> to create a "security" list (i.e. [hidden email]) and
> move
> > >>>>
> > >>> all
> > >>>
> > >>>> the security related discussions and notifications currently
> happening
> > >>>> on
> > >>>> the private list to this new list: according to the ASF policies [*]
> > the
> > >>>> list will be a private list used by the persons willing to help to
> > >>>>
> > >>> resolve
> > >>>
> > >>>> security issues; the list of subscribers will be approved by the
> OFBiz
> > >>>>
> > >>> PMC.
> > >>>
> > >>>> Otherwise vote -1 to continue to use the "private" mailing list for
> > >>>> vulnerability handling.
> > >>>>
> > >>>> [*] http://www.apache.org/security/
> > >>>>
> > >>>>
> > >
> >
>
>
>
> --
> Grégory Draperi
>
Jacopo Cappellato-5
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacopo Cappellato-5
Correct!
A project can ask for the creation of the security list and the PMC may
invite non-PMC members.

Jacopo

On Mon, Jul 25, 2016 at 12:06 PM, Scott Gray <[hidden email]>
wrote:

> Ok I had a read of http://www.apache.org/security/committers.html and I
> see
> how it works.  Looks like PMC is the default alternative "security team"
> when a security list doesn't exist.
>
> On 25 July 2016 at 21:31, gregory draperi <[hidden email]>
> wrote:
>
> > On my side I voted +1 as I thing it would be easier for me to follow
> > security topics with a dedicated list.
> > Furthermore, I don't need to be added to the private list as I don't
> > need/want to be part of strategy or main orientations discussions for
> > Ofbiz.
> >
> >
> > 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]>:
> >
> > > Why would we do that?  Security concerns are the responsibility of the
> > PMC
> > > and supposed to be kept confidential until resolved aren't they?
> > >
> > > On 25 July 2016 at 20:31, Jacques Le Roux <
> [hidden email]>
> > > wrote:
> > >
> > > > I guess we need at least a separate list to grant access to non
> > > > OFBiz-PMC/ASF members
> > > >
> > > > Jacques
> > > >
> > > >
> > > >
> > > > Le 25/07/2016 à 06:38, Scott Gray a écrit :
> > > >
> > > >> Do we actually need a separate mailing list, or should it just
> forward
> > > to
> > > >> private@?
> > > >>
> > > >> Regards
> > > >> Scott
> > > >>
> > > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> > > >> [hidden email]> wrote:
> > > >>
> > > >> +1
> > > >>>
> > > >>> --
> > > >>> Kind Regards
> > > >>> Ashish Vijaywargiya
> > > >>> HotWax Systems - est. 1997
> > > >>>
> > > >>>
> > > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> > > >>> [hidden email]> wrote:
> > > >>>
> > > >>> Rationale: every ASF project needs a private list to discuss
> product
> > > >>>> vulnerabilities; for OFBiz the "private" list has been used for
> this
> > > >>>> purpose until now; however an ad-hoc list may be useful because it
> > > could
> > > >>>> provide a more focused space to discuss the security issues and
> > could
> > > >>>> provide more flexibility to invite in the private list persons
> > willing
> > > >>>> to
> > > >>>> help that are trusted by the PMC.
> > > >>>>
> > > >>>> Please vote,
> > > >>>>
> > > >>>> +1
> > > >>>>
> > > >>>> to create a "security" list (i.e. [hidden email]) and
> > move
> > > >>>>
> > > >>> all
> > > >>>
> > > >>>> the security related discussions and notifications currently
> > happening
> > > >>>> on
> > > >>>> the private list to this new list: according to the ASF policies
> [*]
> > > the
> > > >>>> list will be a private list used by the persons willing to help to
> > > >>>>
> > > >>> resolve
> > > >>>
> > > >>>> security issues; the list of subscribers will be approved by the
> > OFBiz
> > > >>>>
> > > >>> PMC.
> > > >>>
> > > >>>> Otherwise vote -1 to continue to use the "private" mailing list
> for
> > > >>>> vulnerability handling.
> > > >>>>
> > > >>>> [*] http://www.apache.org/security/
> > > >>>>
> > > >>>>
> > > >
> > >
> >
> >
> >
> > --
> > Grégory Draperi
> >
>
David E. Jones-2
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

David E. Jones-2
In reply to this post by Jacopo Cappellato-5

+1

-David


> On 24 Jul 2016, at 05:32, Jacopo Cappellato <[hidden email]> wrote:
>
> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
12
Free forum by Nabble Edit this page