Group Proposal, for further discussion: Vulnerability Group

John Coomes jcoomes at
Wed Feb 28 22:13:23 UTC 2018

On Mon, Feb 26, 2018 at 9:37 AM, <mark.reinhold at> wrote:

> 2018/2/20 22:04:16 -0800, John Coomes <jcoomes at>:
> > ...

> First, is it the intent of the Group to allow sharing of vulnerability
> > fixes ("Confidential Information" is the term used in the NDLA) among
> > Members via means other than the mailing list?
> The proposal describes two communication channels for the discussion of
> vulnerability fixes: The vuln-dev list and the JDK bug system (JBS) [2].
> It does not explicitly limit the sharing of fixes to those two channels.
> The adoption of some other channel would have to be consistent with the
> proposal, agreed to by the Group, and subject to the NDLA.
> >                                                 Second, more
> specifically,
> > would a repository shared exclusively among Members be an acceptable
> means
> > of sharing vulnerability fixes?
> It might, if it could be made sufficiently secure, but I share Andrew's
> concern, expressed nearby -- a single repository containing all current
> and historical vulnerability information could itself present security
> risks, and would require careful thought.

Hi Mark,

Thanks for clarifying the intent of the proposal.  We're meeting with our
legal folks today to review the NDLA as it relates to this; I will follow
up again soon.

Assuming proper management, I think the risks of a shared repo are
comparable to (and potentially even lower than) the mailing list and other
alternatives.  Clearly this needs a longer discussion; I simply want to
ensure that that NDLA is flexible enough to allow it and other reasonable


More information about the discuss mailing list