I don't know anyone who uses Thunderbird. I never have. I'm not going to switch for this.
On Fri, Jan 09, 2015 at 10:26:05PM +0000, Andrew Kampjes wrote: > So the way that I would see this working, is the security team would have > upto maybe 4 people on it. > > If a researcher just sends the report in the clear to the list, all good, > just keep discussing on the list in plaintext. > If a researcher requests GPG encryption, then someone from the list would > send them a pubkey and the researcher would send back the details encrypted. > > The initial point of contact on the security team can then forward the > details onto the other members of the security team (there aren't many of > them), enigmail thunderbird extension, which I assume most people use for > doing GPG on email encrypt and send to multiple recipients. > > You are correct, mailing lists often break GPG if they're not configured > correctly. I think that the simplest approach is to move the encrypted > conversations off the security list when there are only 4ish members. > In that case, the security@ovs list is mostly just to pick up the initial > reports. > > > On Sat Jan 10 2015 at 05:05:42 Ben Pfaff <b...@nicira.com> wrote: > > > On Fri, Jan 09, 2015 at 10:44:20AM +1300, Andrew Kampjes wrote: > > > +Reporters may ask for a GPG key while initiating contact with the > > > +security team to deliver more sensitive reports. > > > +If the reporter has used GPG while disclosing, further vulnerability > > > +details should also be discussed using GPG. > > > > This is a nice idea but I do not see how it is practical. How is a > > mailing list discussion conducted using GPG? > > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
