> The PMC can also assign members to a secur...@pulsar.apache.org mailing list.
+1 for this plan. BR, Lari On Fri, May 28, 2021 at 2:24 AM Dave Fisher <w...@apache.org> wrote: > > > Looking at this as a PMC member who has had to triage security for a very > widely downloaded and old project codebase (OpenOffice) there is some > record keeping that the PMC should do in private to track vulnerabilities > before they are CVEs. > > The PMC can also assign members to a secur...@pulsar.apache.org mailing > list. > > The PMC can request a private SVN repository and/or private Confluence > Wiki for keeping records and assuring that such missed back ports are less > likely. (Private Git limited to the PMC is not currently possible (it is an > Infra wish)) Doing this allows even “non-technical” PMC members to help > manage the CVE process. > > All The Best, > Dave > > > > > I look forward to your thoughts and suggestions. > > > > Thanks, > > > > Michael Marshall > >
