On 12 Jan 2014, at 13:33, Jeff Trawick wrote: > On Fri, Jan 10, 2014 at 8:38 AM, Jeff Trawick <traw...@gmail.com> wrote: > Open source projects, ASF or otherwise, have varying procedures for commits > of fixes to vulnerabilities. ... > > I plan to update http://httpd.apache.org/dev/guidelines.html based on the > outcome of the vote. > > Folks, if you want to express an opinion but haven't yet, please do so before > Tuesday. > > I'll add something very close to the following, unless the vote changes > considerably: > > ---cut here--- > Open source projects, ASF or otherwise, have varying procedures for commits > of vulnerability fixes. One important aspect of these procedures is whether > or not fixes to vulnerabilities can be committed to a repository with commit > logs and possibly CHANGES entries which purposefully obscure the > vulnerability and omit any available vulnerability tracking information. The > Apache HTTP Server project has decided that it is in the best interest of our > users that the initial commit of such code changes to any branch will provide > the best description available at that time as well as any available tracking > information such as CVE number when committing fixes for vulnerabilities to > any branch. Committing of the fix will be delayed until the project > determines that all of the information about the issue can be shared. > > In some cases there are very real benefits to sharing code early even if full > information about the issue cannot, including the potential for broader > review, testing, and distribution of the fix. This is outweighed by the > concern that sharing only the code changes allows skilled analysts to > determine the impact and exploit mechanisms but does not allow the general > user community to determine if preventative measures should be taken. > ---cut here---
s/outweighed by/balanced against/ ? -- Tim Bannister – is...@jellybaby.net
