> > > 8. Reach an agreement for the fix and announcement schedule with the > submitter. > 9. Announce the vulnerability (users, dev, [email protected], bugtraq at > securityfocus.com, full-disclosure at lists.grok.org.uk and project > security pages). The vulnerability announcement must provide > instructions on how to prevent or fix the security problem. >
How easy will we allow our users to fix the security issue by following the instructions here? If it's something like "replace this jar with the attached jar, and restart server" etc., then it looks easy. But if it's something like "applying the fix committed in Revision XXXXXX, rebuild the code and ...", then we are putting too much burden on users, assuming the majority of our users never care to build Geronimo by themselves. So in this sense, making a maintenance release is a preferrable "total" solution for our users. -Jack
