[OPEN-ILS-DEV] Security team coordination

[Mike Rylander]

Dan Scott recently set up an Evergreen Security Team on LaunchPad for
the purpose of accepting, triaging, prioritizing and attacking
security-related issues (vulnerabilities, etc) in Evergreen.  However,
beyond the membership -- all of whom will be alerted when a bug is
tagged as a security issue (IIUC) -- there is no closed communication
channel for the security team.  This is important because we want to
be able to address security issues before exploits are in the wild.

So, to that end, I would like to propose the creation of an
open-ils-security mailing list.  This list would need to allow anyone
to post, but would be moderated for non-members.  Members would be the
Evergreen Security Team.  This poses some amount of overhead to
security team members, but may be a necessary evil.  I understand
there is a project either being planned or under way to change or
rehost our mailing lists, and I hear Chris Sharp of GPLS is working on
this.  Chris, if this is indeed under your auspices and underway, we
should coordinate this soon.  If, however, it will be a while before
anything happens in this area, ESI would be happy to host the security
list for the community -- we can set this up very quickly.  Since it
should be low membership and relatively low traffic, moving it later
shouldn't be a problem.  Just let me know (assuming we don't change
the plan to something other than a moderated, private list -- see
below).

Ideas for alternate methods of communication amongst security team
members are welcome, so if you can think of something that would work
better for those that will be on the team and have less overhead,
please reply here!

-- 
Mike Rylander
 | VP, Research and Design
 | Equinox Software, Inc. / The Evergreen Experts
 | phone:  1-877-OPEN-ILS (673-6457)
 | email:  miker at esilibrary.com
 | web:  http://www.esilibrary.com