You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by Aaron Mulder <am...@alumni.princeton.edu> on 2005/11/19 05:19:20 UTC

Create a security committee?

All,

I'd really like to have a group of interested and available people to
review security-related changes to Geronimo.  And by this I mean,
features dealing with SSL, security realms, storing files with
passwords, showing passwords in the console, establishing procedures
for "locking down the server", reviewing vulnerability reports, etc. 
I don't really mean nitty gritty details of JACC or conducting a
comprehensive security audit of the entire codebase.

What would people think of that, and are there any volunteers?

I should also note that I expect some vulnerabilities to be reported
to the PMC rather than to the public list, but I think a lot can be
done outside the PMC as well (or maybe I should exclude reviewing
vulnerability reports from what I'm talking about, I don't know if
there's a policy there).

Thanks,
    Aaron

Re: Create a security committee?

Posted by Dain Sundstrom <da...@iq80.com>.

I'd like to at least observe this, and participate where I can.

I suggest we exclude vulnerability reports from this so more people  
can participate.

-dain

On Nov 18, 2005, at 8:19 PM, Aaron Mulder wrote:

> All,
>
> I'd really like to have a group of interested and available people to
> review security-related changes to Geronimo.  And by this I mean,
> features dealing with SSL, security realms, storing files with
> passwords, showing passwords in the console, establishing procedures
> for "locking down the server", reviewing vulnerability reports, etc.
> I don't really mean nitty gritty details of JACC or conducting a
> comprehensive security audit of the entire codebase.
>
> What would people think of that, and are there any volunteers?
>
> I should also note that I expect some vulnerabilities to be reported
> to the PMC rather than to the public list, but I think a lot can be
> done outside the PMC as well (or maybe I should exclude reviewing
> vulnerability reports from what I'm talking about, I don't know if
> there's a policy there).
>
> Thanks,
>     Aaron

Re: Create a security committee?

Posted by Donald Woods <dr...@yahoo.com>.

I would also like to help in this endeavor...

-Donald

Kresten Krab Thorup (Trifork) wrote:
> I'd be happy to be part of this also.
> 
> Kresten Krab Thorup
> krab@trifork.com
> 
> 
> On Nov 19, 2005, at 5:19 AM, Aaron Mulder wrote:
> 
>> All,
>>
>> I'd really like to have a group of interested and available people to
>> review security-related changes to Geronimo.  And by this I mean,
>> features dealing with SSL, security realms, storing files with
>> passwords, showing passwords in the console, establishing procedures
>> for "locking down the server", reviewing vulnerability reports, etc.
>> I don't really mean nitty gritty details of JACC or conducting a
>> comprehensive security audit of the entire codebase.
>>
>> What would people think of that, and are there any volunteers?
>>
>> I should also note that I expect some vulnerabilities to be reported
>> to the PMC rather than to the public list, but I think a lot can be
>> done outside the PMC as well (or maybe I should exclude reviewing
>> vulnerability reports from what I'm talking about, I don't know if
>> there's a policy there).
>>
>> Thanks,
>>     Aaron
> 
>

Re: Create a security committee?

Posted by "Kresten Krab Thorup (Trifork)" <kr...@trifork.com>.

I'd be happy to be part of this also.

Kresten Krab Thorup
krab@trifork.com


On Nov 19, 2005, at 5:19 AM, Aaron Mulder wrote:

> All,
>
> I'd really like to have a group of interested and available people to
> review security-related changes to Geronimo.  And by this I mean,
> features dealing with SSL, security realms, storing files with
> passwords, showing passwords in the console, establishing procedures
> for "locking down the server", reviewing vulnerability reports, etc.
> I don't really mean nitty gritty details of JACC or conducting a
> comprehensive security audit of the entire codebase.
>
> What would people think of that, and are there any volunteers?
>
> I should also note that I expect some vulnerabilities to be reported
> to the PMC rather than to the public list, but I think a lot can be
> done outside the PMC as well (or maybe I should exclude reviewing
> vulnerability reports from what I'm talking about, I don't know if
> there's a policy there).
>
> Thanks,
>     Aaron

Re: Create a security committee?

Posted by Kevan Miller <ke...@gmail.com>.

I'd be happy to help out. Limiting distribution of vulnerabilities to the
PMC would pose a problem for me, however. I'm also unsure that limiting
distribution of vulnerabilities is a good idea at this point: 1) the
exposure is low and 2) better to keep all involved/aware rather than a
limited few...
 --kevan
 On 11/18/05, Aaron Mulder <am...@alumni.princeton.edu> wrote:
>
> All,
>
> I'd really like to have a group of interested and available people to
> review security-related changes to Geronimo. And by this I mean,
> features dealing with SSL, security realms, storing files with
> passwords, showing passwords in the console, establishing procedures
> for "locking down the server", reviewing vulnerability reports, etc.
> I don't really mean nitty gritty details of JACC or conducting a
> comprehensive security audit of the entire codebase.
>
> What would people think of that, and are there any volunteers?
>
> I should also note that I expect some vulnerabilities to be reported
> to the PMC rather than to the public list, but I think a lot can be
> done outside the PMC as well (or maybe I should exclude reviewing
> vulnerability reports from what I'm talking about, I don't know if
> there's a policy there).
>
> Thanks,
> Aaron
>

Re: Create a security committee?

Posted by Vamsavardhana Reddy <c1...@gmail.com>.

count me in.

-Vamsi
On 11/19/05, Aaron Mulder <am...@alumni.princeton.edu> wrote:
>
> All,
>
> I'd really like to have a group of interested and available people to
> review security-related changes to Geronimo. And by this I mean,
> features dealing with SSL, security realms, storing files with
> passwords, showing passwords in the console, establishing procedures
> for "locking down the server", reviewing vulnerability reports, etc.
> I don't really mean nitty gritty details of JACC or conducting a
> comprehensive security audit of the entire codebase.
>
> What would people think of that, and are there any volunteers?
>
> I should also note that I expect some vulnerabilities to be reported
> to the PMC rather than to the public list, but I think a lot can be
> done outside the PMC as well (or maybe I should exclude reviewing
> vulnerability reports from what I'm talking about, I don't know if
> there's a policy there).
>
> Thanks,
> Aaron
>

Re: Create a security committee?

Posted by Jeff Genender <jg...@apache.org>.

I'd be happy to be a part of this.

Jeff

Aaron Mulder wrote:
> All,
> 
> I'd really like to have a group of interested and available people to
> review security-related changes to Geronimo.  And by this I mean,
> features dealing with SSL, security realms, storing files with
> passwords, showing passwords in the console, establishing procedures
> for "locking down the server", reviewing vulnerability reports, etc. 
> I don't really mean nitty gritty details of JACC or conducting a
> comprehensive security audit of the entire codebase.
> 
> What would people think of that, and are there any volunteers?
> 
> I should also note that I expect some vulnerabilities to be reported
> to the PMC rather than to the public list, but I think a lot can be
> done outside the PMC as well (or maybe I should exclude reviewing
> vulnerability reports from what I'm talking about, I don't know if
> there's a policy there).
> 
> Thanks,
>     Aaron