On Fri, May 22, 2020 at 6:15 PM Joan Touzet <woh...@apache.org> wrote:
> I'm curious what the Apache Security team's opinion is on this (they are > cc'ed on every email to secur...@couchdb.apache.org) The policy that OpenSSL has works because OpenSSL doesn't release the update at the time of that prenotification and usually the fix for the issue isn't in the repo; instead it's handled in private with the final commits and tarball going live around the same time as the advisory is published (all within an hour or so anyway). As stated in the thread, if you notify your users there is a security issue (or worse if you tell them it's a 'critical' one) in a tarball you've already released then you'll end up with people looking through the commits to find it so they can publish it or exploit it and then it creates a disclosure mess which we would not recommend. Regards, Mark