[ZF] Need volunteers to work on security issues

Steve Alexander steve at canonical.com
Mon Aug 7 15:03:12 EDT 2006

> Occasionally, we discover a security issue in Zope that needs to be 
> addressed in a timely manner.  There is a too-small informal cadre of
> volunteers who work on security issues.  We need more people
> involved in this to help get this work done and to give us enough
> resources to make sure it gets done well, for example, with tests.

I volunteer.

> For obvious reasons,
> this needs to be a trusted group of people, who are well known within
> the community.  Also, I'd like to formalize this a bit by creating
> an identified group of people on a mailing list, so that there is no 
> question of who to send issues to.  Alternatively, I suppose we could
>  use the collectors as the supporters would see security issues.  I'm
> not sure that collectors have worked all that well for security
> issues in the past.

I would invite Zope to use Launchpad to track bugs.  Launchpad has a
concept of "security contacts", which can be teams of people, who are
notified about security-related bugs.  Some other features are listed in

> Finally, I think it would be good to get some representation from
> some of the major Zope projects to that representatives can analyze
> and respond to the impact on their projects.

I know that Martin Pitt, who works on security updates for Ubuntu, is
interested in this role as it relates to the Ubuntu Linux distribution.

Steve Alexander

More information about the Foundation mailing list