On 11/09/2011 11:46 AM, Justin Clift wrote:
On 10/11/2011, at 3:36 AM, Chris Wright wrote:
I think as long as the key members from each project are on the list, and it is oVirt project wide I think it will work. If we do a private list we can control the subscriptions to maintainers or something like that. I would be interested to know if any projects have a public security list. I don't know of any, but am going to google around a bit. I'm not familiar with any. I haven't looked, but in all the projects I've been involved in directly or indirectly the list was private. The
* Carl Trieloff (cctrieloff@redhat.com) wrote: private list can work with distros via linux-distros@openwall.org list to privately discuss things like embargo dates and oss-security@openwall.org to openly discuss security issues (CVE request, classes of bugs, etc). If it helps as an example, the aeolus-security mailing list gives a public GPG key on our website. So, security professionals can sign/encrypt stuff to us if desired. That mailing list goes to core project members only, who have the private key, and the archives are also restricted.
Seems like an ok approach, but we haven't had to actually make use of it yet. ;>
Regards and best wishes,
Justin Clift
-- Aeolus Community Manager http://www.aeolusproject.org
Chris, Do you want to start a vote to add the list. suggesting a vote given the topic of the list and that it would be private. Carl.