On 13/04/2021 17:49, Stefan Bodewig wrote: <snip/>
Fabian has offered to set up OSS Fuzz for Compress. Given that the issues OSS Fuzz detects may or may not be security sensitive, I don't feel it would be a good idea to have the tool send reports to a public mailing list. Therefore I propose to create another subscription moderated list just for these kinds of reports. I'm afraid it could be too noisy for security@commons.
Following the "split by audience, not by topic" guideline, I'd suggest using security@commons.a.o rather than a separate list. Much, much bigger projects than Compress use OSS Fuzz and direct traffic to their security list where it seems to be manageable.
Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org