Nick Cleaton schrieb:
> I think I have the time, in fact I may well have Copious Free Time four
> weeks from now :)
That would be great, the only security audit by now was done by trixter,
2 years ago, and he proved that he was unable to unterstand the code,
IIRC ;)
> IMO a "Security Officer" should be a small team rather than one
> individual. How about a structure something like:
>
> security@??? and/or security-officer@???
>
> Published address for people to report security holes. Goes to a
> small group, who weed out the spam and false alarms and forward any
> genuine issues to:
Yep, sounds good, this should be at least 2-3 people. A mail-alias
should be enough.
> security-internal@??? (or somesuch)
>
> A closed, secret list that goes to a larger group of the major
> developers. Used by the security officers to announce the discovery
> of security problems and to get feedback on proposed patches before
> publication.
Well, in general I think that a closed developer list would be the best.
Introducing to many mailinglists just makes it harder to keep track of
them and also confuses the normal user. Where should someone outside of
the core developer team should post a patch? To users or to -dev?
But I think first there needs to be a decision on how the development
team should be build and how many people should be involved.
Nico