You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Devin Bost <de...@gmail.com> on 2021/06/01 03:43:12 UTC
Re: [DISCUSS] Propose More Formal Policy for Security Patches and EOL
of Versions
+1.
I think these are great suggestions.
--
Devin G. Bost
On Mon, May 31, 2021, 2:30 AM Lari Hotari <lh...@apache.org> wrote:
> > The PMC can also assign members to a security@pulsar.apache.org mailing
> list.
>
> +1 for this plan.
>
> BR, Lari
>
>
> On Fri, May 28, 2021 at 2:24 AM Dave Fisher <wa...@apache.org> wrote:
>
> >
> >
> > Looking at this as a PMC member who has had to triage security for a very
> > widely downloaded and old project codebase (OpenOffice) there is some
> > record keeping that the PMC should do in private to track vulnerabilities
> > before they are CVEs.
> >
> > The PMC can also assign members to a security@pulsar.apache.org mailing
> > list.
> >
> > The PMC can request a private SVN repository and/or private Confluence
> > Wiki for keeping records and assuring that such missed back ports are
> less
> > likely. (Private Git limited to the PMC is not currently possible (it is
> an
> > Infra wish)) Doing this allows even “non-technical” PMC members to help
> > manage the CVE process.
> >
> > All The Best,
> > Dave
> >
> > >
> > > I look forward to your thoughts and suggestions.
> > >
> > > Thanks,
> > >
> > > Michael Marshall
> >
> >
>