Security mailing list

classic Classic list List threaded Threaded
30 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Security mailing list

jochen-2
Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like "Did
anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like [hidden email],
preferrably with subscription limited to private@ members, and
[hidden email] subscribed automatically. (In theory, we could
subscribe selected committers, too.)

At the very least, this would allow us to create a filter for security
related messages, thereby concentrate our attention.

Jochen


--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Gilles Sadowski
On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:

> Hi,
>
> over the last months we have definitely seen our share of security
> related issues. However, I also noticed that we had a tendency to
> loose these threads in the overall noise, resulting in mails like
> "Did
> anyone reply to the reporter?"
>
> No, according to Linus Torvalds, that is perfectly fine, because a
> security issue is "just another bug". However, I am not Linus, and
> would like to see these things in a better state.
>
> As a consequence, I'd like to question how others are handling this.
> Could we have a mailing list, like [hidden email],

+1

Gilles

> preferrably with subscription limited to private@ members, and
> [hidden email] subscribed automatically. (In theory, we could
> subscribe selected committers, too.)
>
> At the very least, this would allow us to create a filter for
> security
> related messages, thereby concentrate our attention.
>
> Jochen


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[All] Finer-grained MLs (Was: Security mailing list)

Gilles Sadowski
In reply to this post by jochen-2
On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
> [...]
> Could we have a mailing list, like [hidden email],
> [...]

I'd like to expand the suggestion: make component-specific MLs for
automatically generated messages (GitHub, JIRA, Nexus) so that people
not actively involved in the development of <some component> are not
overwhelmed by posts that are always to be deleted (in which case it
is rather more efficient to avoid sending it in the first place).

Of course, this opt-out would not concern "commit" messages.

Gilles


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [All] Finer-grained MLs (Was: Security mailing list)

sebb-2-2
On 15 December 2017 at 14:08, Gilles <[hidden email]> wrote:

> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>> [...]
>> Could we have a mailing list, like [hidden email],
>> [...]
>
>
> I'd like to expand the suggestion: make component-specific MLs for
> automatically generated messages (GitHub, JIRA, Nexus) so that people
> not actively involved in the development of <some component> are not
> overwhelmed by posts that are always to be deleted (in which case it
> is rather more efficient to avoid sending it in the first place).

-1

For the same reason that commit messages are of concern to all Commons
developers.

Such messages are easy enough to filter if required.

> Of course, this opt-out would not concern "commit" messages.
>
> Gilles
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [All] Finer-grained MLs

Gilles Sadowski
On Fri, 15 Dec 2017 15:17:43 +0000, sebb wrote:

> On 15 December 2017 at 14:08, Gilles <[hidden email]>
> wrote:
>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>>
>>> [...]
>>> Could we have a mailing list, like [hidden email],
>>> [...]
>>
>>
>> I'd like to expand the suggestion: make component-specific MLs for
>> automatically generated messages (GitHub, JIRA, Nexus) so that
>> people
>> not actively involved in the development of <some component> are not
>> overwhelmed by posts that are always to be deleted (in which case it
>> is rather more efficient to avoid sending it in the first place).
>
> -1
>
> For the same reason that commit messages are of concern to all
> Commons
> developers.

YMMV.
They are not if the only action is always "Move to trash".
Such messages are useful only to those who decide so.  They can be
subscribed to as many list they want.
Why should others be annoyed by pull requests notices if they are
never going to apply/read them?

Even worse, I receive some messages twice!
Sometimes there are so many of them that they are blocked by the ISP.
Hence I may be missing the one important (human-generated) message
because of the heap of information-less crap.

In case you did not notice, I'm not asking to split "dev"!
Only "issues".

The "concern" only applies to the assumption that committed code
is hopefully reviewed by (some of) the developers.
Or do I miss something? [We did not need nor used those automated
message for years... The flood of mails is not an improvement!]

> Such messages are easy enough to filter if required.

YMMV.
It is healthier to not emit pollution than to filter it.

Gilles

>> Of course, this opt-out would not concern "commit" messages.
>>
>> Gilles


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Matt Sicker
In reply to this post by Gilles Sadowski
There certainly are several ASF projects that have dedicated security@
mailing lists (e.g., Tomcat has one). Would bug reporters still just email
[hidden email] and then security@ would forward to the appropriate
commons list?

On 15 December 2017 at 08:03, Gilles <[hidden email]> wrote:

> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>
>> Hi,
>>
>> over the last months we have definitely seen our share of security
>> related issues. However, I also noticed that we had a tendency to
>> loose these threads in the overall noise, resulting in mails like "Did
>> anyone reply to the reporter?"
>>
>> No, according to Linus Torvalds, that is perfectly fine, because a
>> security issue is "just another bug". However, I am not Linus, and
>> would like to see these things in a better state.
>>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like [hidden email],
>>
>
> +1
>
> Gilles
>
> preferrably with subscription limited to private@ members, and
>> [hidden email] subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>>
>> At the very least, this would allow us to create a filter for security
>> related messages, thereby concentrate our attention.
>>
>> Jochen
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

sebb-2-2
On 15 December 2017 at 16:12, Matt Sicker <[hidden email]> wrote:
> There certainly are several ASF projects that have dedicated security@
> mailing lists (e.g., Tomcat has one). Would bug reporters still just email
> [hidden email] and then security@ would forward to the appropriate
> commons list?

Either.

If they mail [hidden email] then they will forward to security@commons

If they mail security@commons, then [hidden email] is automatically copied.

> On 15 December 2017 at 08:03, Gilles <[hidden email]> wrote:
>
>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>>> Hi,
>>>
>>> over the last months we have definitely seen our share of security
>>> related issues. However, I also noticed that we had a tendency to
>>> loose these threads in the overall noise, resulting in mails like "Did
>>> anyone reply to the reporter?"
>>>
>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>> security issue is "just another bug". However, I am not Linus, and
>>> would like to see these things in a better state.
>>>
>>> As a consequence, I'd like to question how others are handling this.
>>> Could we have a mailing list, like [hidden email],
>>>
>>
>> +1
>>
>> Gilles
>>
>> preferrably with subscription limited to private@ members, and
>>> [hidden email] subscribed automatically. (In theory, we could
>>> subscribe selected committers, too.)
>>>
>>> At the very least, this would allow us to create a filter for security
>>> related messages, thereby concentrate our attention.
>>>
>>> Jochen
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>
> --
> Matt Sicker <[hidden email]>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

jochen-2
I think, that the topic would deserve a few more replies.

Jochen


On Fri, Dec 15, 2017 at 6:07 PM, sebb <[hidden email]> wrote:

> On 15 December 2017 at 16:12, Matt Sicker <[hidden email]> wrote:
>> There certainly are several ASF projects that have dedicated security@
>> mailing lists (e.g., Tomcat has one). Would bug reporters still just email
>> [hidden email] and then security@ would forward to the appropriate
>> commons list?
>
> Either.
>
> If they mail [hidden email] then they will forward to security@commons
>
> If they mail security@commons, then [hidden email] is automatically copied.
>
>> On 15 December 2017 at 08:03, Gilles <[hidden email]> wrote:
>>
>>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>>
>>>> Hi,
>>>>
>>>> over the last months we have definitely seen our share of security
>>>> related issues. However, I also noticed that we had a tendency to
>>>> loose these threads in the overall noise, resulting in mails like "Did
>>>> anyone reply to the reporter?"
>>>>
>>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>>> security issue is "just another bug". However, I am not Linus, and
>>>> would like to see these things in a better state.
>>>>
>>>> As a consequence, I'd like to question how others are handling this.
>>>> Could we have a mailing list, like [hidden email],
>>>>
>>>
>>> +1
>>>
>>> Gilles
>>>
>>> preferrably with subscription limited to private@ members, and
>>>> [hidden email] subscribed automatically. (In theory, we could
>>>> subscribe selected committers, too.)
>>>>
>>>> At the very least, this would allow us to create a filter for security
>>>> related messages, thereby concentrate our attention.
>>>>
>>>> Jochen
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>>
>> --
>> Matt Sicker <[hidden email]>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>



--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Mark Thomas
In reply to this post by jochen-2
On 15/12/2017 11:13, Jochen Wiedmann wrote:

> Hi,
>
> over the last months we have definitely seen our share of security
> related issues. However, I also noticed that we had a tendency to
> loose these threads in the overall noise, resulting in mails like "Did
> anyone reply to the reporter?"
>
> No, according to Linus Torvalds, that is perfectly fine, because a
> security issue is "just another bug". However, I am not Linus, and
> would like to see these things in a better state.
>
> As a consequence, I'd like to question how others are handling this.
> Could we have a mailing list, like [hidden email],
> preferrably with subscription limited to private@ members, and
> [hidden email] subscribed automatically. (In theory, we could
> subscribe selected committers, too.)

+1

Works for me.

Mark

>
> At the very least, this would allow us to create a filter for security
> related messages, thereby concentrate our attention.
>
> Jochen
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Romain Manni-Bucau
+1

Le 17 déc. 2017 12:14, "Mark Thomas" <[hidden email]> a écrit :

> On 15/12/2017 11:13, Jochen Wiedmann wrote:
> > Hi,
> >
> > over the last months we have definitely seen our share of security
> > related issues. However, I also noticed that we had a tendency to
> > loose these threads in the overall noise, resulting in mails like "Did
> > anyone reply to the reporter?"
> >
> > No, according to Linus Torvalds, that is perfectly fine, because a
> > security issue is "just another bug". However, I am not Linus, and
> > would like to see these things in a better state.
> >
> > As a consequence, I'd like to question how others are handling this.
> > Could we have a mailing list, like [hidden email],
> > preferrably with subscription limited to private@ members, and
> > [hidden email] subscribed automatically. (In theory, we could
> > subscribe selected committers, too.)
>
> +1
>
> Works for me.
>
> Mark
>
> >
> > At the very least, this would allow us to create a filter for security
> > related messages, thereby concentrate our attention.
> >
> > Jochen
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Jacques Le Roux
+1

Jacques


Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit :

> +1
>
> Le 17 déc. 2017 12:14, "Mark Thomas" <[hidden email]> a écrit :
>
>> On 15/12/2017 11:13, Jochen Wiedmann wrote:
>>> Hi,
>>>
>>> over the last months we have definitely seen our share of security
>>> related issues. However, I also noticed that we had a tendency to
>>> loose these threads in the overall noise, resulting in mails like "Did
>>> anyone reply to the reporter?"
>>>
>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>> security issue is "just another bug". However, I am not Linus, and
>>> would like to see these things in a better state.
>>>
>>> As a consequence, I'd like to question how others are handling this.
>>> Could we have a mailing list, like [hidden email],
>>> preferrably with subscription limited to private@ members, and
>>> [hidden email] subscribed automatically. (In theory, we could
>>> subscribe selected committers, too.)
>> +1
>>
>> Works for me.
>>
>> Mark
>>
>>> At the very least, this would allow us to create a filter for security
>>> related messages, thereby concentrate our attention.
>>>
>>> Jochen
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Rob Tompkins
+0 or +1. Seems ok.

> On Dec 17, 2017, at 7:21 AM, Jacques Le Roux <[hidden email]> wrote:
>
> +1
>
> Jacques
>
>
>> Le 17/12/2017 à 12:22, Romain Manni-Bucau a écrit :
>> +1
>>
>> Le 17 déc. 2017 12:14, "Mark Thomas" <[hidden email]> a écrit :
>>
>>> On 15/12/2017 11:13, Jochen Wiedmann wrote:
>>>> Hi,
>>>>
>>>> over the last months we have definitely seen our share of security
>>>> related issues. However, I also noticed that we had a tendency to
>>>> loose these threads in the overall noise, resulting in mails like "Did
>>>> anyone reply to the reporter?"
>>>>
>>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>>> security issue is "just another bug". However, I am not Linus, and
>>>> would like to see these things in a better state.
>>>>
>>>> As a consequence, I'd like to question how others are handling this.
>>>> Could we have a mailing list, like [hidden email],
>>>> preferrably with subscription limited to private@ members, and
>>>> [hidden email] subscribed automatically. (In theory, we could
>>>> subscribe selected committers, too.)
>>> +1
>>>
>>> Works for me.
>>>
>>> Mark
>>>
>>>> At the very least, this would allow us to create a filter for security
>>>> related messages, thereby concentrate our attention.
>>>>
>>>> Jochen
>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

garydgregory
In reply to this post by jochen-2
I there a requirement to double post to [hidden email]? If not switching from [hidden email]
to [hidden email] seems ok.

Gary

On Dec 17, 2017 03:31, "Jochen Wiedmann" <[hidden email]> wrote:

> I think, that the topic would deserve a few more replies.
>
> Jochen
>
>
> On Fri, Dec 15, 2017 at 6:07 PM, sebb <[hidden email]> wrote:
> > On 15 December 2017 at 16:12, Matt Sicker <[hidden email]> wrote:
> >> There certainly are several ASF projects that have dedicated security@
> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
> email
> >> [hidden email] and then security@ would forward to the appropriate
> >> commons list?
> >
> > Either.
> >
> > If they mail [hidden email] then they will forward to security@commons
> >
> > If they mail security@commons, then [hidden email] is automatically
> copied.
> >
> >> On 15 December 2017 at 08:03, Gilles <[hidden email]>
> wrote:
> >>
> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> over the last months we have definitely seen our share of security
> >>>> related issues. However, I also noticed that we had a tendency to
> >>>> loose these threads in the overall noise, resulting in mails like "Did
> >>>> anyone reply to the reporter?"
> >>>>
> >>>> No, according to Linus Torvalds, that is perfectly fine, because a
> >>>> security issue is "just another bug". However, I am not Linus, and
> >>>> would like to see these things in a better state.
> >>>>
> >>>> As a consequence, I'd like to question how others are handling this.
> >>>> Could we have a mailing list, like [hidden email],
> >>>>
> >>>
> >>> +1
> >>>
> >>> Gilles
> >>>
> >>> preferrably with subscription limited to private@ members, and
> >>>> [hidden email] subscribed automatically. (In theory, we could
> >>>> subscribe selected committers, too.)
> >>>>
> >>>> At the very least, this would allow us to create a filter for security
> >>>> related messages, thereby concentrate our attention.
> >>>>
> >>>> Jochen
> >>>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: [hidden email]
> >>> For additional commands, e-mail: [hidden email]
> >>>
> >>>
> >>
> >>
> >> --
> >> Matt Sicker <[hidden email]>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>
>
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
> evolution-of-the-wheel-300x85.jpg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

sebb-2-2
On 17 December 2017 at 15:07, Gary Gregory <[hidden email]> wrote:
> I there a requirement to double post to [hidden email]? If not switching from [hidden email]
> to [hidden email] seems ok.

Huh?
Not sure where the double post ref comes from.

All security issues must be copied to [hidden email].
This is done automatically if users post to [hidden email].

If they only post to [hidden email], then they will forward to [hidden email]

> Gary
>
> On Dec 17, 2017 03:31, "Jochen Wiedmann" <[hidden email]> wrote:
>
>> I think, that the topic would deserve a few more replies.
>>
>> Jochen
>>
>>
>> On Fri, Dec 15, 2017 at 6:07 PM, sebb <[hidden email]> wrote:
>> > On 15 December 2017 at 16:12, Matt Sicker <[hidden email]> wrote:
>> >> There certainly are several ASF projects that have dedicated security@
>> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
>> email
>> >> [hidden email] and then security@ would forward to the appropriate
>> >> commons list?
>> >
>> > Either.
>> >
>> > If they mail [hidden email] then they will forward to security@commons
>> >
>> > If they mail security@commons, then [hidden email] is automatically
>> copied.
>> >
>> >> On 15 December 2017 at 08:03, Gilles <[hidden email]>
>> wrote:
>> >>
>> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>> >>>
>> >>>> Hi,
>> >>>>
>> >>>> over the last months we have definitely seen our share of security
>> >>>> related issues. However, I also noticed that we had a tendency to
>> >>>> loose these threads in the overall noise, resulting in mails like "Did
>> >>>> anyone reply to the reporter?"
>> >>>>
>> >>>> No, according to Linus Torvalds, that is perfectly fine, because a
>> >>>> security issue is "just another bug". However, I am not Linus, and
>> >>>> would like to see these things in a better state.
>> >>>>
>> >>>> As a consequence, I'd like to question how others are handling this.
>> >>>> Could we have a mailing list, like [hidden email],
>> >>>>
>> >>>
>> >>> +1
>> >>>
>> >>> Gilles
>> >>>
>> >>> preferrably with subscription limited to private@ members, and
>> >>>> [hidden email] subscribed automatically. (In theory, we could
>> >>>> subscribe selected committers, too.)
>> >>>>
>> >>>> At the very least, this would allow us to create a filter for security
>> >>>> related messages, thereby concentrate our attention.
>> >>>>
>> >>>> Jochen
>> >>>>
>> >>>
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: [hidden email]
>> >>> For additional commands, e-mail: [hidden email]
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matt Sicker <[hidden email]>
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [hidden email]
>> > For additional commands, e-mail: [hidden email]
>> >
>>
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
>> evolution-of-the-wheel-300x85.jpg
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

garydgregory
On Dec 17, 2017 08:39, "sebb" <[hidden email]> wrote:

On 17 December 2017 at 15:07, Gary Gregory <[hidden email]> wrote:
> I there a requirement to double post to [hidden email]? If not switching from [hidden email]
> to [hidden email] seems ok.

Huh?
Not sure where the double post ref comes from.

All security issues must be copied to [hidden email].
This is done automatically if users post to [hidden email].

If they only post to [hidden email], then they will forward to [hidden email]


Who will do this forwarding?

Gary


> Gary
>
> On Dec 17, 2017 03:31, "Jochen Wiedmann" <[hidden email]>
wrote:

>
>> I think, that the topic would deserve a few more replies.
>>
>> Jochen
>>
>>
>> On Fri, Dec 15, 2017 at 6:07 PM, sebb <[hidden email]> wrote:
>> > On 15 December 2017 at 16:12, Matt Sicker <[hidden email]> wrote:
>> >> There certainly are several ASF projects that have dedicated security@
>> >> mailing lists (e.g., Tomcat has one). Would bug reporters still just
>> email
>> >> [hidden email] and then security@ would forward to the
appropriate

>> >> commons list?
>> >
>> > Either.
>> >
>> > If they mail [hidden email] then they will forward to security@commons
>> >
>> > If they mail security@commons, then [hidden email] is automatically
>> copied.
>> >
>> >> On 15 December 2017 at 08:03, Gilles <[hidden email]>
>> wrote:
>> >>
>> >>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>> >>>
>> >>>> Hi,
>> >>>>
>> >>>> over the last months we have definitely seen our share of security
>> >>>> related issues. However, I also noticed that we had a tendency to
>> >>>> loose these threads in the overall noise, resulting in mails like
"Did

>> >>>> anyone reply to the reporter?"
>> >>>>
>> >>>> No, according to Linus Torvalds, that is perfectly fine, because a
>> >>>> security issue is "just another bug". However, I am not Linus, and
>> >>>> would like to see these things in a better state.
>> >>>>
>> >>>> As a consequence, I'd like to question how others are handling this.
>> >>>> Could we have a mailing list, like [hidden email],
>> >>>>
>> >>>
>> >>> +1
>> >>>
>> >>> Gilles
>> >>>
>> >>> preferrably with subscription limited to private@ members, and
>> >>>> [hidden email] subscribed automatically. (In theory, we could
>> >>>> subscribe selected committers, too.)
>> >>>>
>> >>>> At the very least, this would allow us to create a filter for
security

>> >>>> related messages, thereby concentrate our attention.
>> >>>>
>> >>>> Jochen
>> >>>>
>> >>>
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: [hidden email]
>> >>> For additional commands, e-mail: [hidden email]
>> >>>
>> >>>
>> >>
>> >>
>> >> --
>> >> Matt Sicker <[hidden email]>
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: [hidden email]
>> > For additional commands, e-mail: [hidden email]
>> >
>>
>>
>>
>> --
>> The next time you hear: "Don't reinvent the wheel!"
>>
>> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/
>> evolution-of-the-wheel-300x85.jpg
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

jochen-2
On Sun, Dec 17, 2017 at 6:47 PM, Gary Gregory <[hidden email]> wrote:

> If they only post to [hidden email], then they will forward to [hidden email]
>
>
> Who will do this forwarding?

The same persons, or mechanisms, which are forwarding to private @c.a.o now.


Jochen

--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Jochen-7
In reply to this post by garydgregory


On 2017-12-17 16:07, Gary Gregory <[hidden email]> wrote:
> I there a requirement to double post to [hidden email]? If not switching from [hidden email]
> to [hidden email] seems ok.

I understand, that [hidden email] can be subscribed to [hidden email], so there would be no need for double posting.
[1]

Jochen

1: https://issues.apache.org/jira/browse/INFRA-15671


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

Stefan Bodewig
In reply to this post by jochen-2
Hi

first of all I'm +0.

On 2017-12-15, Jochen Wiedmann wrote:

> As a consequence, I'd like to question how others are handling this.
> Could we have a mailing list, like [hidden email],
> preferrably with subscription limited to private@ members, and
> [hidden email] subscribed automatically. (In theory, we could
> subscribe selected committers, too.)

My guess is we won't get people subscribed who are familiar enough with
the code for every component. In the end the subscribers of the security
list will need to reach out to the private list to deal with the issues
so I'm not sure the new list would be helping much. But I won't stand in
the way.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

sebb-2-2
On 18 December 2017 at 05:11, Stefan Bodewig <[hidden email]> wrote:

> Hi
>
> first of all I'm +0.
>
> On 2017-12-15, Jochen Wiedmann wrote:
>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like [hidden email],
>> preferrably with subscription limited to private@ members, and
>> [hidden email] subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>
> My guess is we won't get people subscribed who are familiar enough with
> the code for every component. In the end the subscribers of the security
> list will need to reach out to the private list to deal with the issues
> so I'm not sure the new list would be helping much. But I won't stand in
> the way.

Even if (nearly) everyone on the PMC ends up being subscribed to the
security list, IMO it should still help to keep track of issues.
We cannot use standard JIRA or Bugzilla because they are public.

So +1 from me.

> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Security mailing list

jochen-2
In reply to this post by garydgregory
Okay, in my opinion the response indicates, that my proposal is
acceptable to all. Do we need a formal vote? (I hope not.) So, how do
we proceed? Would it be okay for me to file a Jira issue?

Thanks,

Jochen



--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12