-Original Message-
From: Jukka Zitting [mailto:jukka.zitt...@gmail.com]
The process at .../security/ answers parts of that question, but I
find some steps like the suggestion to obscure the commit that fixes a
vulnerability a bit awkward. One idea I came up with is to have a
Jukka Zitting wrote:
The process at .../security/ answers parts of that question, but I
find some steps like the suggestion to obscure the commit that fixes a
vulnerability a bit awkward. One idea I came up with is to have a
read-protected area in svn where (only?) security fixes can be
Hi,
On Tue, Jan 13, 2009 at 6:02 PM, William A. Rowe, Jr.
wr...@rowe-clan.net wrote:
We pass around patches at secur...@httpd until they are right. Less
efficient than SVN, perhaps.
More than the actual fixing of the vulnerability, I'm interested in
the process of releasing the fix. Creating
Jukka Zitting wrote:
A related point is the delay that our mirror infrastructure puts on
the release process. A security release that gets set up for mirroring
is already publicly available even though it can't under current
policies be announced until 24 hours later. Would it be acceptable
