Open AkihiroSuda opened 4 weeks ago
Maybe we can clarify that we prefer GHSA without completely removing the mailing list? There can still be use-cases for the mailing list such as attachments, which don't work as well in the GHSA report flow.
Maybe we can clarify that we prefer GHSA without completely removing the mailing list? There can still be use-cases for the mailing list such as attachments, which don't work as well in the GHSA report flow.
It is quite painful to continuously watch the list that is mostly full of spams. So I suggest completely shutting down the list.
For attachment they can use private gist, etc., or maybe just uuencode it.
+1 for updating the security doc to remove suggesting reporting to security@containerd.io
. It potentially leaves the project vulnerable as messages there are easily missed due to the spam. We can just update our security doc though, we don't need to take any action to shut the mailing list down.
The
security@containerd.io
mailing list is full of spams and almost completely useless.Can we shutdown the list and just migrate to GitHub Security Advisories (https://github.com/containerd/containerd/security/advisories/new)?
People who strongly refuse to (or who are not allowed to) create an account on GitHub may still directly reach out to the Core Committers via email or other communication methods to report vulnerabilities.