You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Emmanuel Lécharny <el...@gmail.com> on 2016/10/04 10:04:00 UTC
Security mailing list ?
Hi guys,
I was wondering if it would not be a good idea to also create a
security@netbeans.apache.org mailing list ?
Netbeans is a pretty big project, and I suspect that it will be subject
of security breaches that would need some private discussions.
wdyt ?
Re: Security mailing list ?
Posted by Emilian Bold <em...@gmail.com>.
> That means security issues will be redirected to the private
mailing list
This makes sense.
--emi
On Tue, Oct 4, 2016 at 1:18 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Le 04/10/16 à 12:10, Emilian Bold a écrit :
> > I don't believe NetBeans had a security team before. So I'm pretty
> certain
> > the list will be quite deserted.
> >
> > I understand that IDEs could have security breaches (IntelliJ had an
> > interesting flaw:
> > http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-
> remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> > )
> > but by definition an IDE handles a lot of executable code. Where do you
> > draw the line? Any Maven artifact is a potential trojan, should we
> sandbox
> > all executions?
> >
> > I would say not to create a security@ mailing list at this point and
> wait
> > for the 1st security issues first.
>
> Okie. That means security issues will be redirected to the private
> mailing list (just for clarity...).
>
Re: Security mailing list ?
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 04/10/16 � 12:10, Emilian Bold a �crit :
> I don't believe NetBeans had a security team before. So I'm pretty certain
> the list will be quite deserted.
>
> I understand that IDEs could have security breaches (IntelliJ had an
> interesting flaw:
> http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> )
> but by definition an IDE handles a lot of executable code. Where do you
> draw the line? Any Maven artifact is a potential trojan, should we sandbox
> all executions?
>
> I would say not to create a security@ mailing list at this point and wait
> for the 1st security issues first.
Okie. That means security issues will be redirected to the private
mailing list (just for clarity...).
Re: Security mailing list ?
Posted by Emilian Bold <em...@gmail.com>.
I don't believe NetBeans had a security team before. So I'm pretty certain
the list will be quite deserted.
I understand that IDEs could have security breaches (IntelliJ had an
interesting flaw:
http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
)
but by definition an IDE handles a lot of executable code. Where do you
draw the line? Any Maven artifact is a potential trojan, should we sandbox
all executions?
I would say not to create a security@ mailing list at this point and wait
for the 1st security issues first.
--emi
On Tue, Oct 4, 2016 at 1:04 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
> Hi guys,
>
> I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ?
>
> Netbeans is a pretty big project, and I suspect that it will be subject
> of security breaches that would need some private discussions.
>
> wdyt ?
>
Re: Security mailing list ?
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 04/10/16 � 12:22, Bertrand Delacretaz a �crit :
> Hi,
>
> On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel L�charny <el...@gmail.com> wrote:
>> ...I was wondering if it would not be a good idea to also create a
>> security@netbeans.apache.org mailing list ? ...
> As per http://www.apache.org/security/ people can use
> security@apache.org initially, I suggest that we use that channel for
> now and move to a specific NetBeans list later, once the process is
> well understood.
+1
Re: Security mailing list ?
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel Lécharny <el...@gmail.com> wrote:
> ...I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ? ...
As per http://www.apache.org/security/ people can use
security@apache.org initially, I suggest that we use that channel for
now and move to a specific NetBeans list later, once the process is
well understood.
-Bertrand