[VOTE] Create the "security" mailing list for the OFBiz project
Locked
12
12
Re: [VOTE] Create the "security" mailing list for the OFBiz project
 
|
Thanks for confirming Jacopo, +1 from me
On 26/07/2016 00:32, "Jacopo Cappellato" < [hidden email]> wrote: > Correct! > A project can ask for the creation of the security list and the PMC may > invite non-PMC members. > > Jacopo > > On Mon, Jul 25, 2016 at 12:06 PM, Scott Gray <[hidden email] > > > wrote: > > > Ok I had a read of http://www.apache.org/security/committers.html and I > > see > > how it works. Looks like PMC is the default alternative "security team" > > when a security list doesn't exist. > > > > On 25 July 2016 at 21:31, gregory draperi <[hidden email]> > > wrote: > > > > > On my side I voted +1 as I thing it would be easier for me to follow > > > security topics with a dedicated list. > > > Furthermore, I don't need to be added to the private list as I don't > > > need/want to be part of strategy or main orientations discussions for > > > Ofbiz. > > > > > > > > > 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email]>: > > > > > > > Why would we do that? Security concerns are the responsibility of > the > > > PMC > > > > and supposed to be kept confidential until resolved aren't they? > > > > > > > > On 25 July 2016 at 20:31, Jacques Le Roux < > > [hidden email]> > > > > wrote: > > > > > > > > > I guess we need at least a separate list to grant access to non > > > > > OFBiz-PMC/ASF members > > > > > > > > > > Jacques > > > > > > > > > > > > > > > > > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit : > > > > > > > > > >> Do we actually need a separate mailing list, or should it just > > forward > > > > to > > > > >> private@? > > > > >> > > > > >> Regards > > > > >> Scott > > > > >> > > > > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya < > > > > >> [hidden email]> wrote: > > > > >> > > > > >> +1 > > > > >>> > > > > >>> -- > > > > >>> Kind Regards > > > > >>> Ashish Vijaywargiya > > > > >>> HotWax Systems - est. 1997 > > > > >>> > > > > >>> > > > > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato < > > > > >>> [hidden email]> wrote: > > > > >>> > > > > >>> Rationale: every ASF project needs a private list to discuss > > product > > > > >>>> vulnerabilities; for OFBiz the "private" list has been used for > > this > > > > >>>> purpose until now; however an ad-hoc list may be useful because > it > > > > could > > > > >>>> provide a more focused space to discuss the security issues and > > > could > > > > >>>> provide more flexibility to invite in the private list persons > > > willing > > > > >>>> to > > > > >>>> help that are trusted by the PMC. > > > > >>>> > > > > >>>> Please vote, > > > > >>>> > > > > >>>> +1 > > > > >>>> > > > > >>>> to create a "security" list (i.e. [hidden email]) > and > > > move > > > > >>>> > > > > >>> all > > > > >>> > > > > >>>> the security related discussions and notifications currently > > > happening > > > > >>>> on > > > > >>>> the private list to this new list: according to the ASF policies > > [*] > > > > the > > > > >>>> list will be a private list used by the persons willing to help > to > > > > >>>> > > > > >>> resolve > > > > >>> > > > > >>>> security issues; the list of subscribers will be approved by the > > > OFBiz > > > > >>>> > > > > >>> PMC. > > > > >>> > > > > >>>> Otherwise vote -1 to continue to use the "private" mailing list > > for > > > > >>>> vulnerability handling. > > > > >>>> > > > > >>>> [*] http://www.apache.org/security/ > > > > >>>> > > > > >>>> > > > > > > > > > > > > > > > > > > > > > -- > > > Grégory Draperi > > > > > > |
Re: [VOTE] Create the "security" mailing list for the OFBiz project
|
|
+1
Thanks & Regards On Tue, Jul 26, 2016 at 5:53 AM, Scott Gray <[hidden email]> wrote: > Thanks for confirming Jacopo, +1 from me > > On 26/07/2016 00:32, "Jacopo Cappellato" < > [hidden email]> wrote: > > > Correct! > > A project can ask for the creation of the security list and the PMC may > > invite non-PMC members. > > > > Jacopo > > > > On Mon, Jul 25, 2016 at 12:06 PM, Scott Gray < > [hidden email] > > > > > wrote: > > > > > Ok I had a read of http://www.apache.org/security/committers.html and > I > > > see > > > how it works. Looks like PMC is the default alternative "security > team" > > > when a security list doesn't exist. > > > > > > On 25 July 2016 at 21:31, gregory draperi <[hidden email]> > > > wrote: > > > > > > > On my side I voted +1 as I thing it would be easier for me to follow > > > > security topics with a dedicated list. > > > > Furthermore, I don't need to be added to the private list as I don't > > > > need/want to be part of strategy or main orientations discussions for > > > > Ofbiz. > > > > > > > > > > > > 2016-07-25 11:27 GMT+02:00 Scott Gray <[hidden email] > >: > > > > > > > > > Why would we do that? Security concerns are the responsibility of > > the > > > > PMC > > > > > and supposed to be kept confidential until resolved aren't they? > > > > > > > > > > On 25 July 2016 at 20:31, Jacques Le Roux < > > > [hidden email]> > > > > > wrote: > > > > > > > > > > > I guess we need at least a separate list to grant access to non > > > > > > OFBiz-PMC/ASF members > > > > > > > > > > > > Jacques > > > > > > > > > > > > > > > > > > > > > > > > Le 25/07/2016 à 06:38, Scott Gray a écrit : > > > > > > > > > > > >> Do we actually need a separate mailing list, or should it just > > > forward > > > > > to > > > > > >> private@? > > > > > >> > > > > > >> Regards > > > > > >> Scott > > > > > >> > > > > > >> On 25 July 2016 at 15:58, Ashish Vijaywargiya < > > > > > >> [hidden email]> wrote: > > > > > >> > > > > > >> +1 > > > > > >>> > > > > > >>> -- > > > > > >>> Kind Regards > > > > > >>> Ashish Vijaywargiya > > > > > >>> HotWax Systems - est. 1997 > > > > > >>> > > > > > >>> > > > > > >>> On Sun, Jul 24, 2016 at 6:02 PM, Jacopo Cappellato < > > > > > >>> [hidden email]> wrote: > > > > > >>> > > > > > >>> Rationale: every ASF project needs a private list to discuss > > > product > > > > > >>>> vulnerabilities; for OFBiz the "private" list has been used > for > > > this > > > > > >>>> purpose until now; however an ad-hoc list may be useful > because > > it > > > > > could > > > > > >>>> provide a more focused space to discuss the security issues > and > > > > could > > > > > >>>> provide more flexibility to invite in the private list persons > > > > willing > > > > > >>>> to > > > > > >>>> help that are trusted by the PMC. > > > > > >>>> > > > > > >>>> Please vote, > > > > > >>>> > > > > > >>>> +1 > > > > > >>>> > > > > > >>>> to create a "security" list (i.e. [hidden email]) > > and > > > > move > > > > > >>>> > > > > > >>> all > > > > > >>> > > > > > >>>> the security related discussions and notifications currently > > > > happening > > > > > >>>> on > > > > > >>>> the private list to this new list: according to the ASF > policies > > > [*] > > > > > the > > > > > >>>> list will be a private list used by the persons willing to > help > > to > > > > > >>>> > > > > > >>> resolve > > > > > >>> > > > > > >>>> security issues; the list of subscribers will be approved by > the > > > > OFBiz > > > > > >>>> > > > > > >>> PMC. > > > > > >>> > > > > > >>>> Otherwise vote -1 to continue to use the "private" mailing > list > > > for > > > > > >>>> vulnerability handling. > > > > > >>>> > > > > > >>>> [*] http://www.apache.org/security/ > > > > > >>>> > > > > > >>>> > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Grégory Draperi > > > > > > > > > > -- *THANG NGUYEN (Mr)* *OLBIUS DEVELOPER**Email:* [hidden email] <[hidden email]>| *Mobile:* (+84) 1674636641 *OLBIUS., JSC* *Tel:* (+84) 9 88 99 3333 *Address: *25th Fl., No 91, Nguyen Chi Thanh St., Ha Noi City, VietNam *Website:* http://olbius.com |
Re: [VOTE] Create the "security" mailing list for the OFBiz project
|
|
In reply to this post by Jacopo Cappellato-5
+1
Thanks & Regards --- Arun Patidar Manager, Enterprise Software Development HotWax Systems www.hotwaxsystems.com On Sunday 24 July 2016 06:02 PM, Jacopo Cappellato wrote: > Rationale: every ASF project needs a private list to discuss product > vulnerabilities; for OFBiz the "private" list has been used for this > purpose until now; however an ad-hoc list may be useful because it could > provide a more focused space to discuss the security issues and could > provide more flexibility to invite in the private list persons willing to > help that are trusted by the PMC. > > Please vote, > > +1 > > to create a "security" list (i.e. [hidden email]) and move all > the security related discussions and notifications currently happening on > the private list to this new list: according to the ASF policies [*] the > list will be a private list used by the persons willing to help to resolve > security issues; the list of subscribers will be approved by the OFBiz PMC. > > Otherwise vote -1 to continue to use the "private" mailing list for > vulnerability handling. > > [*] http://www.apache.org/security/ > |
Re: [VOTE] Create the "security" mailing list for the OFBiz project
|
|
In reply to this post by Jacopo Cappellato-5
+1
Jacopo On Sun, Jul 24, 2016 at 2:32 PM, Jacopo Cappellato < [hidden email]> wrote: > Rationale: every ASF project needs a private list to discuss product > vulnerabilities; for OFBiz the "private" list has been used for this > purpose until now; however an ad-hoc list may be useful because it could > provide a more focused space to discuss the security issues and could > provide more flexibility to invite in the private list persons willing to > help that are trusted by the PMC. > > Please vote, > > +1 > > to create a "security" list (i.e. [hidden email]) and move all > the security related discussions and notifications currently happening on > the private list to this new list: according to the ASF policies [*] the > list will be a private list used by the persons willing to help to resolve > security issues; the list of subscribers will be approved by the OFBiz PMC. > > Otherwise vote -1 to continue to use the "private" mailing list for > vulnerability handling. > > [*] http://www.apache.org/security/ > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |