On Tue, May 13, 2025 at 10:39:03PM -0700, Jody Garnett via security-priv wrote:
I think we should ask the system admin committee to disable this list as
inactive.
Agreed, it makes more sense for security reports to be directed to
more specific people, rather than a generic "OSGeo"...
It looks like a good time to file that ticket, as we're migrating the
mailing list server to another host and cleaning it up
--strk;
If this is for nonpublic reports of security problems, then agreed it
may not make sense, in favor of multiple per-project aliases.
I don't think it's good to publish invidual email addresses as security
contacts, from a stabilty-of-published-info viewpoint, as well as tone
for liability control. So I'm not sure that the alternative plan is.
There's another semi-need, which this list apparently wasn't serving,
which is private communication from project maintainers to packagers,
for coordinating coordinated releases. For various projects, I have
received advance notice of releases, and sometimes the actual bits, not
yet in a public repo, under embargo for me to test and get packages
ready so I can push them the hour the release comes out. Sometimes it's
email, and for one, it's an invitation-only encrypted matrix room.
The history of osgeo stuff leads one not to expect a lot of such
activity, and I'm not saying there needs to be a big kerfluffle - just
pointing out a related issue.