On Jan 19, 2009, at 12:32 PM, Donald Woods wrote:
Joe Bohn wrote:
Is the omission of any discussion of a JIRA intentional? In other
words, is it expected that a JIRA will *not* be created to document
or track the code change and that CVE will be the only
documentation of the issue (and then only after a server image has
already been released by changing the commit log)?
Good point. I believe we should create the JIRA as part of step #9.
OK. That sounds good. I'm assuming the RELEASE_NOTES will also contain
information regarding the vulnerability (including CVE, etc).
If we are not creating a JIRA, then this brings up a documentation
issue. Not announcing the issue until after a server release also
causes some doc issues.
- We typically use JIRAs to identify all changes within a release.
- We include the list of JIRAs fixed and outstanding within the
RELEASE_NOTES for each server release.
- The RELEASE_NOTES are included in the server images so that
anyone downloading a server image can easily understand what issues
are resolved or still outstanding with that release.
- So typically JIRAs must be resolved before we create a release
candidate. The entire release (including the release notes) is
then validated during the vote for the release candidate.
Security fixes are important, so it seems that they should be
mentioned in the release notes. I also understand the sensitive
nature of these issues and the possibility of exploitation.
However, it seems that the code check-in itself already has the
potential to make the exposure public for those watching carefully.
One possible solution would be to announce the vulnerability once
we have a work-around available and/or a fix available in a
SNAPSHOT image.
Agree that we need to be as open as possible. As part of step #9,
I'd like to see us add a reference to the fix (but not the complete
details) on our Security pages for each release. Step #12 would
also be updated, to go back and add the CVE number and more details
to the Security pages as each branch is released.
OK. Is it necessary to hide the CVE until 12? If so, I guess the
RELEASE_NOTES shouldn't include the CVE...
--kevan
