[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Almost no one is subscribed to our security mailing list

Hello Zayyad,

Thank you for the excellent question.

The security list is a list that only committers and PMC members can view.
But anyone can send emails to it.  The security list can be used to report
security vulnerabilities.  It can also be used to handle responses to those

If you are wondering how security vulnerabilities are handled at Apache,
this is an excellent guide:

When we started a security list it was to replace the use of the private
list for planning security responses.  One potential advantage to this
change is that committers can participate, whereas only PMC members can
participate on private.

By creating the security list, we offered all of our committers a
promotion.  : o)

Best Regards,

On Wed, Dec 5, 2018 at 11:54 AM Zayyad A. Said <
zayyad@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

> Dear Myrle,
> Was the list created to serve a special purpose other than what the dev
> list serves?
> It's critical to understand the purpose of the list before one subscribes
> to it.
> Kindly enlighten us.
> Regards,
> Zayyad A. Said
> On Wed, Dec 5, 2018, 13:16 Myrle Krantz <myrle@xxxxxxxxxx> wrote:
>> Current subscribees are:
>> * me
>> * Ed
>> * Vishwas
>> Thank you Ed and Vishwas for sharing responsibility for this critical
>> aspect of our project.
>> Potential subscribees are anyone who has a committership or is on the PMC
>> of Fineract.
>> If you wish to subscribe please write an email to
>> security-subscribe@xxxxxxxxxxxxxxxxxxx.  If you have any difficulties,
>> please write an email to dev@xxxxxxxxxxxxxxxxxxx to let us know.
>> Unless people start subscribing, I will ask INFRA to remove the mailing
>> list.  With so few people subscribed, the security mailing list cannot
>> serve its purpose, and will be more of a problem than a solution.
>> Best Regards,
>> Myrle