If we're actually discussing private repos for reporting security issues then Github product is not helpful. It seems that most of the projects use private mailing lists for that. For example, Linux kernel has [email protected] and another one for coordination with distributions - more details here https://www.kernel.org/doc/html/v4.18/admin-guide/security-bugs.html
So I think something like [email protected] is the way to go. Alex On Sat, Jan 26, 2019 at 3:42 PM Lennart Poettering <[email protected]> wrote: > > On Di, 15.01.19 21:21, Alex Dzyoba ([email protected]) wrote: > > > When you create a new organization you can choose "Team For Open > > Source" plan. Here is the link > > https://github.com/account/organizations/new > > > > Though, I don't know if it's possible to upgrade the existing systemd > > organization, sorry. Maybe it's possible to contact github support to > > ask for this. > > So I had a closer look at this, and found this: > > https://help.github.com/articles/github-s-products/ > > IIUC "GitHub Team for Open Source" doesn't actually add anything we > need. Because what we need would actually be the ability for arbitrary > people (i.e. not people who necessarily are members of our systemd > team on github) to send us private PRs and issues in order to handle > security issues. > > It appears to me that plan does not provide the core need we have: > allow those random folks from the Internet to report security issues > in privacy to us... Or what am I missing? > > Lennart > > -- > Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
