Cantor, Scott <canto...@osu.edu> writes: > Practically speaking, the security process and the web site have been the > main sources of friction for me, and I think the latter is definitely a > choice. We could simply accept that it's not viable and shut it down in > favor of a simple wiki page with the download links, etc.
Agree. > Apache's security process is definitely a source of problems for me, it > demands too much effort and is one of the reasons I tend to look for reasons > not to do them. I don't believe in doing the work of downstream packagers as > a precondition for doing fixes, and their process leans too far in that > direction. Ok, didn't know that. > I just believe in transparency so everybody knows the situation. Yes, I agree we should make it clear if/when things are insecure. And I think it is also perfectly reasonable to switch to "disabled by default" for functionality (such as DTD) which has known security issues but which we cannot fix (for whatever reasons). --------------------------------------------------------------------- To unsubscribe, e-mail: c-dev-unsubscr...@xerces.apache.org For additional commands, e-mail: c-dev-h...@xerces.apache.org