I'll go with the consensus here but I feel that the security list should be for humans and posts there deserve human attention on an ASAP basis. I've just seen too many false positives and noise from automated tools over the years.
Gary On Sat, Apr 17, 2021, 09:48 Stefan Bodewig <bode...@apache.org> wrote: > On 2021-04-13, Mark Thomas wrote: > > > On 13/04/2021 17:49, Stefan Bodewig wrote: > > > <snip/> > > >> Fabian has offered to set up OSS Fuzz for Compress. Given that the > >> issues OSS Fuzz detects may or may not be security sensitive, I don't > >> feel it would be a good idea to have the tool send reports to a public > >> mailing list. Therefore I propose to create another subscription > >> moderated list just for these kinds of reports. I'm afraid it could be > >> too noisy for security@commons. > > > Following the "split by audience, not by topic" guideline, I'd suggest > > using security@commons.a.o rather than a separate list. Much, much > > bigger projects than Compress use OSS Fuzz and direct traffic to their > > security list where it seems to be manageable. > > With more projects jumping it this may become more traffic. Given that > at least one subscriber of security@ (Gary) is strongly against using > that list, I don't want to force it on him. > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
