Everyone - as we're trying to define the ACS security response plan, we started considering the idea of a pre-disclosure mailing list. Membership would consist of security teams from organizations that have large installations of ACS upon which their business is critical. The idea was based on Xen's pre-disclosure list[1]. After we (PPMC) discussed and invited thoughts from secur...@apache.org, it was suggested that we get feedback from the general development community. I'll summarize the discussion points below, but would love to hear further thoughts or comments from everyone.
* The initial thought was to have the list for distributions that include ACS, but expanded to consider organizations with Significant installations. * For organizations who have decided to base their business (or a good chunk of it) on ACS, advance notice allows them a chance to mitigate security issues which could cause significant operational issues before general release to the public. * Having an pre-disclosure list, though, means we would need to manage who gets on and who doesn't. Membership would have to be limited by either install size, criticality of the install base, or some other similar metric. If we don't limit membership, it's the same as just doing a public announcement. * Some are worried that management of this list could be significant work or cause stress in the community. * We'd have to keep the pre-disclosure advance notice timeframe fairly small, otherwise it'll leak out without responsible control on our behalf. * In some cases, individuals have seen vulnerability reports demand that certain organizations do not get pre-disclosure. So that's something we might have to deal with. * One question is if membership should be limited to organizations who have individuals who contribute to the project, or if it should be open to anyone. The concept being "why should they get something from us when we get nothing from them?" * One suggestion was to use the pre-disclosure list not so much as an advanced-warning list, but as a QA list, allowing folks to review the announcement before it is published for general consumption. From my POV, I don't think of ASF as a "give to get" community. Yes, we want to grow the contributing community but I think we should be pleased/flattered that any large organization wants to use our toils. Also, I think of security information in open source projects not as something that is traded between committers only, but distributed to those who are affected by the information based on the potential severity of not having advanced notice. For comparison, I see OpenStack has the concept of "downstream stakeholders" for similar purpose. John 1: http://www.xen.org/projects/security_vulnerability_process.html search down for "Pre-disclosure list" section near bottom 2: http://wiki.openstack.org/VulnerabilityManagement#Downstream_stakeholders
