Hi Jens,
No worries. I probably shouldn’t read emails before I’ve had my morning coffee ;)
So, we are okay for now with the security topic? I certainly want to follow the guidelines, as this is an important topic.
I understand the GPL topic is important. We should be able to get this addressed within the next week. I will update the referenced Github Issue once we have new information. This issue will be corrected before we make the 3.0.0 release.
Thanks,
--Dave
Hello David,
If that formulation sounded disrespectful I apologize. It honestly wasn't meant that way!
Having a brief look at the homepage, clicking through a few links didn't bring up this page, with the link to the policy to me. So I think that link should be a bit more prominent. e.g. in the footer or maybe the "community" sub-menu. Finding it right now,
is rather hard.
We had a public discussion over the last weeks which ended up in the initial version of the document [1]. The PMI already has a field for providing information about fixed security issues or if there where none, then this field should be filled with a short
statements that there were no known issues at this point. It also handles the case on how to provide information without disclosing the actual issue, allowing for a controlled disclosure. I know that this step, of filling out the field, is new. It should ensure
that this field is not simply forgotten, but filled in one way or the other intentionally. Tracking security vulnerabilities should still happen in the Eclipse Bugzilla as the Eclipse Security Policy states.
I consider the GPL issue rather important. As this issue (not the GitHub issue entry, but the issue itself) is now open since before Kura 2.1. And effectively it is not possible to re-compile Kura in the way it is distributed right now. But I guess it shouldn't
be a big issue providing the sources in a reproducible way.
I hope this explains a bit what I meant.
Jens
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc
|