Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Hi guys,

I was wondering if it would not be a good idea to also create a
security@netbeans.apache.org mailing list ?

Netbeans is a pretty big project, and I suspect that it will be subject
of security breaches that would need some private discussions.

wdyt ?

Re: Security mailing list ?

[Emilian Bold <em...@gmail.com>]

> That means security issues will be redirected to the private
mailing list

This makes sense.


--emi

On Tue, Oct 4, 2016 at 1:18 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:

> Le 04/10/16 à 12:10, Emilian Bold a écrit :
> > I don't believe NetBeans had a security team before. So I'm pretty
> certain
> > the list will be quite deserted.
> >
> > I understand that IDEs could have security breaches (IntelliJ had an
> > interesting flaw:
> > http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-
> remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> > )
> > but by definition an IDE handles a lot of executable code. Where do you
> > draw the line? Any Maven artifact is a potential trojan, should we
> sandbox
> > all executions?
> >
> > I would say not to create a security@ mailing list at this point and
> wait
> > for the 1st security issues first.
>
> Okie. That means security issues will be redirected to the private
> mailing list (just for clarity...).
>

Re: Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 12:10, Emilian Bold a �crit :
> I don't believe NetBeans had a security team before. So I'm pretty certain
> the list will be quite deserted.
>
> I understand that IDEs could have security breaches (IntelliJ had an
> interesting flaw:
> http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
> )
> but by definition an IDE handles a lot of executable code. Where do you
> draw the line? Any Maven artifact is a potential trojan, should we sandbox
> all executions?
>
> I would say not to create a security@ mailing list at this point and wait
> for the 1st security issues first.

Okie. That means security issues will be redirected to the private
mailing list (just for clarity...).

Re: Security mailing list ?

[Emilian Bold <em...@gmail.com>]

I don't believe NetBeans had a security team before. So I'm pretty certain
the list will be quite deserted.

I understand that IDEs could have security breaches (IntelliJ had an
interesting flaw:
http://blog.saynotolinux.com/blog/2016/08/15/jetbrains-ide-remote-code-execution-and-local-file-disclosure-vulnerability-analysis/
)
but by definition an IDE handles a lot of executable code. Where do you
draw the line? Any Maven artifact is a potential trojan, should we sandbox
all executions?

I would say not to create a security@ mailing list at this point and wait
for the 1st security issues first.



--emi

On Tue, Oct 4, 2016 at 1:04 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:

> Hi guys,
>
> I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ?
>
> Netbeans is a pretty big project, and I suspect that it will be subject
> of security breaches that would need some private discussions.
>
> wdyt ?
>

Re: Security mailing list ?

[Emmanuel Lécharny <el...@gmail.com>]

Le 04/10/16 � 12:22, Bertrand Delacretaz a �crit :
> Hi,
>
> On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel L�charny <el...@gmail.com> wrote:
>> ...I was wondering if it would not be a good idea to also create a
>> security@netbeans.apache.org mailing list ? ...
> As per http://www.apache.org/security/ people can use
> security@apache.org initially, I suggest that we use that channel for
> now and move to a specific NetBeans list later, once the process is
> well understood.

+1

Re: Security mailing list ?

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Tue, Oct 4, 2016 at 12:04 PM, Emmanuel Lécharny <el...@gmail.com> wrote:
> ...I was wondering if it would not be a good idea to also create a
> security@netbeans.apache.org mailing list ? ...

As per http://www.apache.org/security/ people can use
security@apache.org initially, I suggest that we use that channel for
now and move to a specific NetBeans list later, once the process is
well understood.

-Bertrand