Community
Participate
Working Groups
Many people in the RT projects have heard of this, but this is the request to get this mailing list created. Initial members should be all project leads for the RT project, but if you just want to make the list I'll follow up with the various groups to make sure everyone gets on it. The impetus behind this is that jetty has always had a mechanism to notify the community of security related issues and it was thought that all projects in RT ought to be linked up for getting this information out amongst the key stakeholders in the RT community. cc'ing greg, my jetty project lead so he knows the request as well cheers
So is this a Jetty-only list, or for RT as a whole?
Closing as invalid. If you still need this list, please provide the info requested in comment 1 and we'll make it happen.
RT as a whole I would think as this is something that the rt group as a whole would be concerned about, jetty can't be the only one that has to worry about security vulnerabilities reopenning and adding jeff mcaffer as a watcher and asking him if we can put this on the agenda for the next rt pmc meeting. cheers jesse
We reviewed this issue in the latest RT-PMC call Notes are here: http://wiki.eclipse.org/RT/meetings/PMC_Minutes_091202 this would be a closed list a la the board votes lists and other of that ilk...
(In reply to comment #4) > this would be a closed list One thing to consider is that Bugzilla already has an option for private (closed) bugs specifically for this purpose. As I see it, it is enabled for Jetty. The typical workflow here is that someone (on your team, or a user) reports an 'open' bug saying 'I found a security issue'. You would then mark the bug as private, enabling discussion only between Eclipse Committers, the bug reporter, and anyone else in the CC list. Once the issue is resolved, patches are created, advisories are sent, you could (and eventually should) open the bug to the general public. This option is more flexible than a mailing list, since you can easily add 'outsiders' to the CC list so that they can participate. I would encourage you to try the option if you think it could suit your needs. If not, we can go ahead and create a mailing list.
Sorry I missed that call. I agree with Denis that we should try the Bugzilla approach but have two questions: - how to I get notified of a new security issue - who is approved to look at security issues BTW, Jesse, feel free to edit the wiki at any time to add agenda topics for the RT PMC calls
> - how to I get notified of a new security issue > - who is approved to look at security issues The typical workflow is that someone (on your team, or a user) opens a plain bug saying 'I found a security issue' with no other details. Someone on the RT team would then mark the bug as private, enabling discussion only between Eclipse Committers (all of them), the bug reporter, and anyone else you decide to include in the CC list. Bug 223539 is a prime example of how this works.
