On 17 Jan 2012, at 5:55 PM, William A. Rowe Jr. wrote: > Whomever is committing the security patches for disclosed issues > aught to publish their patch on the same day. I've participated > over 10 years, and for 10 years published relevant patches that I > had written to patches/apply_to_rev/ branches. > > It seems to me that committers today have no interest in publishing > patches to dist, therefore the concept should be declared DOA, the > patches/ tree removed, and a new mechanism for communicating security > patches to the users be created. Of course the legacy of that tree > would still persist under archive.a.o/dist/httpd/patches.
What I don't understand is how the conclusion is drawn that committers don't have an interest in publishing patches to dist, when a far more likely explanation is that nobody knew to do so. Take our opening site page at http://httpd.apache.org/, no mention of patches at all. Zoom in a little to the download page at http://httpd.apache.org/download.cgi#apache23, and still no mention of the patches directory. If our end users aren't alerted to the fact these patches exist, you can hardly expect our committers to. The idea behind patches is entirely sound, and I strongly disagree that the practice should stop. Instead, the practice should be properly formalised, with comments added to the appropriate places so that it is made obvious to committers what to do, and at the same time both our opening page and our downloads page should be amended to contain links to the patches directory for the benefit of end users. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
