Re: svn commit: r1793940 - in /httpd/docs-build/trunk: deps.xml lib/allmodules.pl

* Jacob Champion wrote: > [crossposting dev@ and docs@] > > On 05/04/2017 04:55 PM, jchamp...@apache.org wrote: > > Author: jchampion > > Date: Thu May 4 23:55:48 2017 > > New Revision: 1793940 > > > > URL: http://svn.apache.org/viewvc?rev=1793940&view=rev > > Log: > > override index: add deps an

Change from ad-hoc/historical security process to ASF process?

(note to security@ folks -- this is a public dev@ thread!) Hi All. Over the years we have tried different approaches to handling CVEs, varying based on who did the work, their understanding of the unwritten procedures, and the severity of the bug. We haven't ever come to a solid consensus on som

Re: svn commit: r1793940 - in /httpd/docs-build/trunk: deps.xml lib/allmodules.pl

On 05/05/2017 01:34 AM, André Malo wrote: Well... It was a split-project back then (in CVS even... :-)). I'm also not sure we want all those jar files and stuff in the main repo. Most people neither use nor need it. I don't mind having the binaries in a separate place, so much as I mind having

Re: svn commit: r1793940 - in /httpd/docs-build/trunk: deps.xml lib/allmodules.pl

[Re-cc'ing docs. Sorry.] On 05/05/2017 01:34 AM, André Malo wrote: Well... It was a split-project back then (in CVS even... :-)). I'm also not sure we want all those jar files and stuff in the main repo. Most people neither use nor need it. I don't mind having the binaries in a separate place

Re: Change from ad-hoc/historical security process to ASF process?

On 05/05/2017 05:39 AM, Eric Covener wrote: Here is the change that probably has the biggest impact to the community: """ ... The project team commits the fix. No reference should be made to the commit being related to a security vulnerability. This is the only part that makes me nervous, sinc

Re: Change from ad-hoc/historical security process to ASF process?

+1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's still documented in CHANGES, just after the release is spun out, show it shows up in the next release's CHANGES. > On May 5, 2017, at 8:39 AM, Eric Covener wrote: > > (note to security@ fo

Re: Change from ad-hoc/historical security process to ASF process?

On 05/05/2017 01:32 PM, Jim Jagielski wrote: +1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's still documented in CHANGES, just after the release is spun out, show it shows up in the next release's CHANGES. Sounds good to me. --Jacob

Re: svn commit: r1793940 - in /httpd/docs-build/trunk: deps.xml lib/allmodules.pl

On May 5, 2017 9:28 AM, "Jacob Champion" wrote: On 05/05/2017 01:34 AM, André Malo wrote: > Well... It was a split-project back then (in CVS even... :-)). I'm also not > sure we want all those jar files and stuff in the main repo. Most people > neither use nor need it. > I don't mind having the