security at ovirt.org mailing list
Justin Clift
jclift at redhat.com
Wed Nov 9 16:46:28 UTC 2011
On 10/11/2011, at 3:36 AM, Chris Wright wrote:
> * Carl Trieloff (cctrieloff at redhat.com) wrote:
>> I think as long as the key members from each project are on the list,
>> and it is oVirt project wide I think it will work. If we do a private
>> list we can control the subscriptions to maintainers or something like
>> that. I would be interested to know if any projects have a public
>> security list. I don't know of any, but am going to google around a bit.
>
> I'm not familiar with any. I haven't looked, but in all the projects
> I've been involved in directly or indirectly the list was private. The
> private list can work with distros via linux-distros at openwall.org list to
> privately discuss things like embargo dates and oss-security at openwall.org
> to openly discuss security issues (CVE request, classes of bugs, etc).
If it helps as an example, the aeolus-security mailing list gives a public
GPG key on our website. So, security professionals can sign/encrypt stuff
to us if desired. That mailing list goes to core project members only, who
have the private key, and the archives are also restricted.
Seems like an ok approach, but we haven't had to actually make use of it
yet. ;>
Regards and best wishes,
Justin Clift
--
Aeolus Community Manager
http://www.aeolusproject.org
More information about the Board
mailing list