+1. I think these are great suggestions.
-- Devin G. Bost On Mon, May 31, 2021, 2:30 AM Lari Hotari <lhot...@apache.org> wrote: > > The PMC can also assign members to a secur...@pulsar.apache.org mailing > list. > > +1 for this plan. > > BR, Lari > > > On Fri, May 28, 2021 at 2:24 AM Dave Fisher <w...@apache.org> wrote: > > > > > > > Looking at this as a PMC member who has had to triage security for a very > > widely downloaded and old project codebase (OpenOffice) there is some > > record keeping that the PMC should do in private to track vulnerabilities > > before they are CVEs. > > > > The PMC can also assign members to a secur...@pulsar.apache.org mailing > > list. > > > > The PMC can request a private SVN repository and/or private Confluence > > Wiki for keeping records and assuring that such missed back ports are > less > > likely. (Private Git limited to the PMC is not currently possible (it is > an > > Infra wish)) Doing this allows even “non-technical” PMC members to help > > manage the CVE process. > > > > All The Best, > > Dave > > > > > > > > I look forward to your thoughts and suggestions. > > > > > > Thanks, > > > > > > Michael Marshall > > > > >
