Re: security@ovirt.org mailing list
On 10/11/2011, at 3:36 AM, Chris Wright wrote:
* Carl Trieloff (cctrieloff(a)redhat.com) wrote:
> I think as long as the key members from each project are on the list,
> and it is oVirt project wide I think it will work. If we do a private
> list we can control the subscriptions to maintainers or something like
> that. I would be interested to know if any projects have a public
> security list. I don't know of any, but am going to google around a bit.
I'm not familiar with any. I haven't looked, but in all the projects
I've been involved in directly or indirectly the list was private. The
private list can work with distros via linux-distros(a)openwall.org list to
privately discuss things like embargo dates and oss-security(a)openwall.org
to openly discuss security issues (CVE request, classes of bugs, etc).
If it helps as an example, the aeolus-security mailing list gives a public
GPG key on our website. So, security professionals can sign/encrypt stuff
to us if desired. That mailing list goes to core project members only, who
have the private key, and the archives are also restricted.
Seems like an ok approach, but we haven't had to actually make use of it
yet. ;>
Regards and best wishes,
Justin Clift
--
Aeolus Community Manager
http://www.aeolusproject.org