Hi Jens,
Thanks for the input. Please see below.
*There is no statement about fixed security related issued in the release review information.
See Below.
* The link to the Eclipse security policy is missing
Is the link on this [1] page not sufficient?
* Which raises the question if you have reviewed the Eclipse Security Policy
I believe it is more respectful to turn your statement/accusation into the question: “Have you reviewed the Eclipse Security Policy”? Which would give me the opportunity to respond accordingly. Yes, I have read the security policy, and, to my
knowledge, we are adhering to the policy. The reported vulnerability bugs have been addressed. The next step would be to make the bugs public and disclose to the community. I am working on this last part. There are several industrial solutions based on Kura,
so we need to be sensitive about how we word such messaging. This messaging will be ready before we make the official release. I didn’t see anything in the policy that stated vulnerabilities must be discussed in the release review information. In fact, I would
argue this is the wrong place to track vulnerabilities as we now have a separate system in place.
* The source code for a modified GPL module is still missing [2]
The linked issue is marked with the KURA-3.0.0 tag. All such tagged items will be addressed before the release. Apologies if that wasn’t clear, I believe I usually include that link in the PMC request.
Thanks,
--Dave
Hi David,
from a quick look there are a few points still missing for me:
* There is no statement about fixed security related issued in the release review information.
* The link to the Eclipse security policy is missing
* Which raises the question if you have reviewed the Eclipse Security Policy [1]
* The source code for a modified GPL module is still missing [2]
I know the security related points are partly new, but the issue about the missing GPL source code is quite a few releases old now and I think it should be fixed before making another Kura release.
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc
|