On 09/16/2015 10:52 AM, Tomas Hoger wrote:
On Wed, 16 Sep 2015 07:30:52 -0500 Major Hayden wrote:
> On 09/16/2015 12:46 AM, pjp(a)fedoraproject.org wrote:
>> That's right. We need to publicise 'security(a)fp.o' address for
>> users to report issues to FST.
Before doing that, it should be figured out how to handle those
reports. Traditionally, only RH employees, RH SRT members pretty much,
were on the list. Handling of embargoed stuff in Fedora has been
avoided in general.
I believe that was and is how it is currently setup. There was
some
discussion of eventually having trusted/proven non-redhat team members
on the email as well. But, I do not know if that was done. Sparks I
believe has a better idea on how this is now setup.
> Updated with that address mentioned for critical bugs:
>
>
https://gist.github.com/major/2dbb21b8f42dd882439d
In addition to the concerns above, I think you should distinguish
critical and embargoed / non-public. security-team(a)l.fp.o should still
be preferred for any discussion of critical but already public issue.
The security-team list should be for all public issues. The security@
address is for embargoed or new bugs (that may end up being embargoed
depending on how the security@ list members handle it).