[VOTE] Create the "security" mailing list for the OFBiz project

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Scott Gray-3
Thanks for confirming Jacopo, +1 from me

On 26/07/2016 00:32, "Jacopo Cappellato" <
[hidden email]> wrote:

> Correct!
> A project can ask for the creation of the security list and the PMC may
> invite non-PMC members.
>
> Jacopo
>
> On Mon, Jul 25, 2016 at 12:06 PM, Scott Gray <[hidden email]
> >
> wrote:
>
> > Ok I had a read of http://www.apache.org/security/committers.html and I
> > see
> > how it works.  Looks like PMC is the default alternative "security team"
> > when a security list doesn't exist.
> >
> > On 25 July 2016 at 21:31, gregory draperi <[hidden email]>
> > wrote:
> >
> > > On my side I voted +1 as I thing it would be easier for me to follow
> > > security topics with a dedicated list.
> > > Furthermore, I don't need to be added to the private list as I don't
> > > need/want to be part of strategy or main orientations discussions for
> > > Ofbiz.
> > >
> > >
> > > 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]>:
> > >
> > > > Why would we do that?  Security concerns are the responsibility of
> the
> > > PMC
> > > > and supposed to be kept confidential until resolved aren't they?
> > > >
> > > > On 25 July 2016 at 20:31, Jacques Le Roux <
> > [hidden email]>
> > > > wrote:
> > > >
> > > > > I guess we need at least a separate list to grant access to non
> > > > > OFBiz-PMC/ASF members
> > > > >
> > > > > Jacques
> > > > >
> > > > >
> > > > >
> > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit :
> > > > >
> > > > >> Do we actually need a separate mailing list, or should it just
> > forward
> > > > to
> > > > >> private@?
> > > > >>
> > > > >> Regards
> > > > >> Scott
> > > > >>
> > > > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> > > > >> [hidden email]> wrote:
> > > > >>
> > > > >> +1
> > > > >>>
> > > > >>> --
> > > > >>> Kind Regards
> > > > >>> Ashish Vijaywargiya
> > > > >>> HotWax Systems - est. 1997
> > > > >>>
> > > > >>>
> > > > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> > > > >>> [hidden email]> wrote:
> > > > >>>
> > > > >>> Rationale: every ASF project needs a private list to discuss
> > product
> > > > >>>> vulnerabilities; for OFBiz the "private" list has been used for
> > this
> > > > >>>> purpose until now; however an ad-hoc list may be useful because
> it
> > > > could
> > > > >>>> provide a more focused space to discuss the security issues and
> > > could
> > > > >>>> provide more flexibility to invite in the private list persons
> > > willing
> > > > >>>> to
> > > > >>>> help that are trusted by the PMC.
> > > > >>>>
> > > > >>>> Please vote,
> > > > >>>>
> > > > >>>> +1
> > > > >>>>
> > > > >>>> to create a "security" list (i.e. [hidden email])
> and
> > > move
> > > > >>>>
> > > > >>> all
> > > > >>>
> > > > >>>> the security related discussions and notifications currently
> > > happening
> > > > >>>> on
> > > > >>>> the private list to this new list: according to the ASF policies
> > [*]
> > > > the
> > > > >>>> list will be a private list used by the persons willing to help
> to
> > > > >>>>
> > > > >>> resolve
> > > > >>>
> > > > >>>> security issues; the list of subscribers will be approved by the
> > > OFBiz
> > > > >>>>
> > > > >>> PMC.
> > > > >>>
> > > > >>>> Otherwise vote -1 to continue to use the "private" mailing list
> > for
> > > > >>>> vulnerability handling.
> > > > >>>>
> > > > >>>> [*] http://www.apache.org/security/
> > > > >>>>
> > > > >>>>
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Grégory Draperi
> > >
> >
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

thangnguyen.Olbius
+1
Thanks & Regards
On Tue, Jul 26, 2016 at 5:53 AM, Scott Gray <[hidden email]>
wrote:

> Thanks for confirming Jacopo, +1 from me
>
> On 26/07/2016 00:32, "Jacopo Cappellato" <
> [hidden email]> wrote:
>
> > Correct!
> > A project can ask for the creation of the security list and the PMC may
> > invite non-PMC members.
> >
> > Jacopo
> >
> > On Mon, Jul 25, 2016 at 12:06 PM, Scott Gray <
> [hidden email]
> > >
> > wrote:
> >
> > > Ok I had a read of http://www.apache.org/security/committers.html and
> I
> > > see
> > > how it works.  Looks like PMC is the default alternative "security
> team"
> > > when a security list doesn't exist.
> > >
> > > On 25 July 2016 at 21:31, gregory draperi <[hidden email]>
> > > wrote:
> > >
> > > > On my side I voted +1 as I thing it would be easier for me to follow
> > > > security topics with a dedicated list.
> > > > Furthermore, I don't need to be added to the private list as I don't
> > > > need/want to be part of strategy or main orientations discussions for
> > > > Ofbiz.
> > > >
> > > >
> > > > 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]
> >:
> > > >
> > > > > Why would we do that?  Security concerns are the responsibility of
> > the
> > > > PMC
> > > > > and supposed to be kept confidential until resolved aren't they?
> > > > >
> > > > > On 25 July 2016 at 20:31, Jacques Le Roux <
> > > [hidden email]>
> > > > > wrote:
> > > > >
> > > > > > I guess we need at least a separate list to grant access to non
> > > > > > OFBiz-PMC/ASF members
> > > > > >
> > > > > > Jacques
> > > > > >
> > > > > >
> > > > > >
> > > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit :
> > > > > >
> > > > > >> Do we actually need a separate mailing list, or should it just
> > > forward
> > > > > to
> > > > > >> private@?
> > > > > >>
> > > > > >> Regards
> > > > > >> Scott
> > > > > >>
> > > > > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya <
> > > > > >> [hidden email]> wrote:
> > > > > >>
> > > > > >> +1
> > > > > >>>
> > > > > >>> --
> > > > > >>> Kind Regards
> > > > > >>> Ashish Vijaywargiya
> > > > > >>> HotWax Systems - est. 1997
> > > > > >>>
> > > > > >>>
> > > > > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato <
> > > > > >>> [hidden email]> wrote:
> > > > > >>>
> > > > > >>> Rationale: every ASF project needs a private list to discuss
> > > product
> > > > > >>>> vulnerabilities; for OFBiz the "private" list has been used
> for
> > > this
> > > > > >>>> purpose until now; however an ad-hoc list may be useful
> because
> > it
> > > > > could
> > > > > >>>> provide a more focused space to discuss the security issues
> and
> > > > could
> > > > > >>>> provide more flexibility to invite in the private list persons
> > > > willing
> > > > > >>>> to
> > > > > >>>> help that are trusted by the PMC.
> > > > > >>>>
> > > > > >>>> Please vote,
> > > > > >>>>
> > > > > >>>> +1
> > > > > >>>>
> > > > > >>>> to create a "security" list (i.e. [hidden email])
> > and
> > > > move
> > > > > >>>>
> > > > > >>> all
> > > > > >>>
> > > > > >>>> the security related discussions and notifications currently
> > > > happening
> > > > > >>>> on
> > > > > >>>> the private list to this new list: according to the ASF
> policies
> > > [*]
> > > > > the
> > > > > >>>> list will be a private list used by the persons willing to
> help
> > to
> > > > > >>>>
> > > > > >>> resolve
> > > > > >>>
> > > > > >>>> security issues; the list of subscribers will be approved by
> the
> > > > OFBiz
> > > > > >>>>
> > > > > >>> PMC.
> > > > > >>>
> > > > > >>>> Otherwise vote -1 to continue to use the "private" mailing
> list
> > > for
> > > > > >>>> vulnerability handling.
> > > > > >>>>
> > > > > >>>> [*] http://www.apache.org/security/
> > > > > >>>>
> > > > > >>>>
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Grégory Draperi
> > > >
> > >
> >
>



--
*THANG NGUYEN (Mr)*

*OLBIUS DEVELOPER**Email:* [hidden email]
<[hidden email]>| *Mobile:* (+84) 1674636641

*OLBIUS., JSC*
*Tel:* (+84) 9 88 99 3333
*Address: *25th Fl., No 91, Nguyen Chi Thanh St., Ha Noi City, VietNam
*Website:* http://olbius.com
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Arun Patidar-2
In reply to this post by Jacopo Cappellato-5
+1

Thanks & Regards
---
Arun Patidar
Manager, Enterprise Software Development
  HotWax Systems
www.hotwaxsystems.com

On Sunday 24 July 2016 06:02 PM, Jacopo Cappellato wrote:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Create the "security" mailing list for the OFBiz project

Jacopo Cappellato-5
In reply to this post by Jacopo Cappellato-5
+1

Jacopo

On Sun, Jul 24, 2016 at 2:32 PM, Jacopo Cappellato <
[hidden email]> wrote:

> Rationale: every ASF project needs a private list to discuss product
> vulnerabilities; for OFBiz the "private" list has been used for this
> purpose until now; however an ad-hoc list may be useful because it could
> provide a more focused space to discuss the security issues and could
> provide more flexibility to invite in the private list persons willing to
> help that are trusted by the PMC.
>
> Please vote,
>
> +1
>
> to create a "security" list (i.e. [hidden email]) and move all
> the security related discussions and notifications currently happening on
> the private list to this new list: according to the ASF policies [*] the
> list will be a private list used by the persons willing to help to resolve
> security issues; the list of subscribers will be approved by the OFBiz PMC.
>
> Otherwise vote -1 to continue to use the "private" mailing list for
> vulnerability handling.
>
> [*] http://www.apache.org/security/
>
12