Group Proposal, for further discussion: Vulnerability Group

Andrew Haley aph at
Mon Feb 26 08:19:44 UTC 2018

On 21/02/18 06:04, John Coomes wrote:

> First, is it the intent of the Group to allow sharing of vulnerability
> fixes ("Confidential Information" is the term used in the NDLA) among
> Members via means other than the mailing list?  Second, more specifically,
> would a repository shared exclusively among Members be an acceptable means
> of sharing vulnerability fixes?
> If the answer to either of the above is yes, it would be helpful to amend
> the NDLA to make that clear.

We don't want to overly restrict the means we use to communicate.
Getting the legal agreement changed once it's signed will be extremely

Having said that, a single shared repository that contains all of our
most secret information and its entire history doesn't immediately
sound to me like a good idea if we can avoid it.  Whatever we do, we
must agree to it as a group, with help and advice from other security

Andrew Haley
Java Platform Lead Engineer
Red Hat UK Ltd. <>
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the discuss mailing list