On 1/17/2012 6:36 AM, Jim Jagielski wrote: > > Bill, I am taking your advice and learning some tact, so I > respectfully ask: "What is your major malfunction?" I am > growing tired of you constantly complaining while doing *nothing* > to address those self-same issues which you seem to find so > problematic.
I respectfully answer; and change the subject line - I'm just shocked you responded to Steffan with a w00t. That was just weird. And further answer; the project malfunction is that we communicate to users that security patches somehow exist in the respective dist/httpd/patches/ tree. I have taken specific steps to consolidate the patches directories which were devoid of patches, steps to improve the data we collect in our vulnerabilities database, identification of previously unmaintained data for released branches, patch review on security@ and authoring patches, responding to patch reporters, etc etc etc. I certainly don't do nothing to address security reports. Whomever is committing the security patches for disclosed issues aught to publish their patch on the same day. I've participated over 10 years, and for 10 years published relevant patches that I had written to patches/apply_to_rev/ branches. It seems to me that committers today have no interest in publishing patches to dist, therefore the concept should be declared DOA, the patches/ tree removed, and a new mechanism for communicating security patches to the users be created. Of course the legacy of that tree would still persist under archive.a.o/dist/httpd/patches. I'd propose we add a field in our oval-like xml table for the patch svn url to be recorded as soon as it is committed to svn, provided we are talking about a disclosed issue. Thoughts?
