Group Proposal, for further discussion: Vulnerability Group
John Coomes
jcoomes at twitter.com
Wed Feb 28 22:13:23 UTC 2018
On Mon, Feb 26, 2018 at 9:37 AM, <mark.reinhold at oracle.com> wrote:
> 2018/2/20 22:04:16 -0800, John Coomes <jcoomes at twitter.com>:
> > ...
> First, is it the intent of the Group to allow sharing of vulnerability
> > fixes ("Confidential Information" is the term used in the NDLA) among
> > Members via means other than the mailing list?
>
> The proposal describes two communication channels for the discussion of
> vulnerability fixes: The vuln-dev list and the JDK bug system (JBS) [2].
> It does not explicitly limit the sharing of fixes to those two channels.
> The adoption of some other channel would have to be consistent with the
> proposal, agreed to by the Group, and subject to the NDLA.
>
> > Second, more
> specifically,
> > would a repository shared exclusively among Members be an acceptable
> means
> > of sharing vulnerability fixes?
>
> It might, if it could be made sufficiently secure, but I share Andrew's
> concern, expressed nearby -- a single repository containing all current
> and historical vulnerability information could itself present security
> risks, and would require careful thought.
>
Hi Mark,
Thanks for clarifying the intent of the proposal. We're meeting with our
legal folks today to review the NDLA as it relates to this; I will follow
up again soon.
Assuming proper management, I think the risks of a shared repo are
comparable to (and potentially even lower than) the mailing list and other
alternatives. Clearly this needs a longer discussion; I simply want to
ensure that that NDLA is flexible enough to allow it and other reasonable
alternatives.
-John
More information about the discuss
mailing list