On 10/11/2011, at 3:36 AM, Chris Wright wrote:
* Carl Trieloff (cctrieloff@redhat.com) wrote:
I think as long as the key members from each project are on the list, and it is oVirt project wide I think it will work. If we do a private list we can control the subscriptions to maintainers or something like that. I would be interested to know if any projects have a public security list. I don't know of any, but am going to google around a bit.
I'm not familiar with any. I haven't looked, but in all the projects I've been involved in directly or indirectly the list was private. The private list can work with distros via linux-distros@openwall.org list to privately discuss things like embargo dates and oss-security@openwall.org to openly discuss security issues (CVE request, classes of bugs, etc).
If it helps as an example, the aeolus-security mailing list gives a public GPG key on our website. So, security professionals can sign/encrypt stuff to us if desired. That mailing list goes to core project members only, who have the private key, and the archives are also restricted. Seems like an ok approach, but we haven't had to actually make use of it yet. ;> Regards and best wishes, Justin Clift -- Aeolus Community Manager http://www.aeolusproject.org