private@ mailing list.

[Bruno Flavio <em...@brunoflavio.com>]

Hello all,



I'm new to the ASF - still getting started and reading the new committer documentation.



Besides dev@ commits@ and users@, should committers join the private@ mailing list as well?



Best regards,

Bruno Flávio.

Re: Security mailing list ?

[Emilian Bold <em...@gmail.com>]

> That means security issues will be redirected to the private
mailing list

This makes sense.


--emi

On Tue, Oct 4, 2016 at 1:18 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:

> Le 04/10/16 à 12:10, Emilian Bold a écrit :
> > I don't believe NetBeans had a security team before. So I'm pretty
> certain
> > the list will be quite deserted.
> >
> > I understand that IDEs could have security breaches (IntelliJ had an
> > interesting flaw:
> > http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-
> remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> > )
> > but by definition an IDE handles a lot of executable code. Where do you
> > draw the line? Any Maven artifact is a potential trojan, should we
> sandbox
> > all executions?
> >
> > I would say not to create a security@ mailing list at this point and
> wait
> > for the 1st security issues first.
>
> Okie. That means security issues will be redirected to the private
> mailing list (just for clarity...).
>

Re: Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 12:10, Emilian Bold a �crit :
> I don't believe NetBeans had a security team before. So I'm pretty certain
> the list will be quite deserted.
>
> I understand that IDEs could have security breaches (IntelliJ had an
> interesting flaw:
> http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> )
> but by definition an IDE handles a lot of executable code. Where do you
> draw the line? Any Maven artifact is a potential trojan, should we sandbox
> all executions?
>
> I would say not to create a security@ mailing list at this point and wait
> for the 1st security issues first.

Okie. That means security issues will be redirected to the private
mailing list (just for clarity...).

Re: Security mailing list ?

[Emilian Bold <em...@gmail.com>]

I don't believe NetBeans had a security team before. So I'm pretty certain
the list will be quite deserted.

I understand that IDEs could have security breaches (IntelliJ had an
interesting flaw:
http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
)
but by definition an IDE handles a lot of executable code. Where do you
draw the line? Any Maven artifact is a potential trojan, should we sandbox
all executions?

I would say not to create a security@ mailing list at this point and wait
for the 1st security issues first.



--emi

On Tue, Oct 4, 2016 at 1:04 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:

> Hi guys,
>
> I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ?
>
> Netbeans is a pretty big project, and I suspect that it will be subject
> of security breaches that would need some private discussions.
>
> wdyt ?
>

Re: Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 12:22, Bertrand Delacretaz a �crit :
> Hi,
>
> On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel L�charny <el...@gmail.com> wrote:
>> ...I was wondering if it would not be a good idea to also create a
>> security@netbeans.apache.org mailing list ? ...
> As per http://www.apache.org/security/ people can use
> security@apache.org initially, I suggest that we use that channel for
> now and move to a specific NetBeans list later, once the process is
> well understood.

+1

Re: Security mailing list ?

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel Lécharny <el...@gmail.com> wrote:
> ...I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ? ...

As per http://www.apache.org/security/ people can use
security@apache.org initially, I suggest that we use that channel for
now and move to a specific NetBeans list later, once the process is
well understood.

-Bertrand

Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Hi guys,

I was wondering if it would not be a good idea to also create a
security@netbeans.apache.org mailing list ?

Netbeans is a pretty big project, and I suspect that it will be subject
of security breaches that would need some private discussions.

wdyt ?

Re: private@ mailing list.

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 11:54, Bertrand Delacretaz a �crit :
> Hi,
>
> On Tue, Oct 4, 2016 at 11:31 AM, Bruno Flavio <em...@brunoflavio.com> wrote:
>> ...Besides dev@ commits@ and users@, should committers join the private@ mailing list as well?..
> I *think* we should make all initial committers part of the podling's
> PPMC, do the other mentors agree?
>
> If they do I would suggest that PPMC members (so == committers if we
> agree) subscribe once their @apache.org account has been created - but
> let's wait for the other mentors opinion.
Well, I have no opinion. Whatever works, I guess ;-)

Re: private@ mailing list.

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Tue, Oct 4, 2016 at 11:58 AM, Emilian Bold <em...@gmail.com> wrote:
>> [...] I would suggest that PPMC members [...] subscribe once their @
> apache.org account has been created [...]
>
> What difference does it make? I mean, is it about the iCLA or about the
> @apache email alias? ...

It's about making sure people have done their homework and submitted
their iCLA before being involved in electing other people for example.

-Bertrand (being a bit cautious with these things as the NetBeans
initial committers list is quite large)

Re: private@ mailing list.

[Emilian Bold <em...@gmail.com>]

> [...] I would suggest that PPMC members [...] subscribe once their @
apache.org account has been created [...]

What difference does it make? I mean, is it about the iCLA or about the
@apache email alias?


--emi

On Tue, Oct 4, 2016 at 12:54 PM, Bertrand Delacretaz <bdelacretaz@apache.org
> wrote:

> Hi,
>
> On Tue, Oct 4, 2016 at 11:31 AM, Bruno Flavio <em...@brunoflavio.com>
> wrote:
> > ...Besides dev@ commits@ and users@, should committers join the private@
> mailing list as well?..
>
> I *think* we should make all initial committers part of the podling's
> PPMC, do the other mentors agree?
>
> If they do I would suggest that PPMC members (so == committers if we
> agree) subscribe once their @apache.org account has been created - but
> let's wait for the other mentors opinion.
>
> (BTW the goal is to use that private list only when absolutely needed,
> like when discussing candidates for committer or PMC elections or
> other topics that absolutely really totally need to be private)
>
> -Bertrand
>

Re: private@ mailing list.

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Tue, Oct 4, 2016 at 11:31 AM, Bruno Flavio <em...@brunoflavio.com> wrote:
> ...Besides dev@ commits@ and users@, should committers join the private@ mailing list as well?..

I *think* we should make all initial committers part of the podling's
PPMC, do the other mentors agree?

If they do I would suggest that PPMC members (so == committers if we
agree) subscribe once their @apache.org account has been created - but
let's wait for the other mentors opinion.

(BTW the goal is to use that private list only when absolutely needed,
like when discussing candidates for committer or PMC elections or
other topics that absolutely really totally need to be private)

-Bertrand

Re: private@ mailing list.

[Bruno Flavio <em...@brunoflavio.com>]

Understood, thank you very much for the clarification.

Just making sure I wasn't missing out on something I should be aware of.


-Bruno.


---- On Tue, 04 Oct 2016 10:56:53 +0100Emmanuel Lécharny <elecharny@gmail.com> wrote ----




Le 04/10/16 à 11:31, Bruno Flavio a écrit : 

> Hello all, 

> 

> 

> 

> I'm new to the ASF - still getting started and reading the new committer documentation. 

> 

> 

> 

> Besides dev@ commits@ and users@, should committers join the private@ mailing list as well? 

No, this is a list used by the Podling PMC (Project Management 

Committee). As it names suggest, it's private. Now, don't get it wrong : 

there is no secret to hide ! It's just used to discuss potential 

committers and new member of the PMC, that for some obvious reason, 

should remain private. 

 

No technical discussion occurs on the private mailing list (except those 

related to security). 

 

Bottom line, 99% of the important discussions occur on the dev mailing list. 

 

Welcome to the project ! 

Re: private@ mailing list.

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 11:31, Bruno Flavio a �crit :
> Hello all,
>
>
>
> I'm new to the ASF - still getting started and reading the new committer documentation.
>
>
>
> Besides dev@ commits@ and users@, should committers join the private@ mailing list as well?
No, this is a list used by the Podling PMC (Project Management
Committee). As it names suggest, it's private. Now, don't get it wrong :
there is no secret to hide ! It's just used to discuss potential
committers and new member of the PMC, that for some obvious reason,
should remain private.

No technical discussion occurs on the private mailing list (except those
related to security).

Bottom line, 99% of the important discussions occur on the dev mailing list.

Welcome to the project !