On Sun, Jan 12, 2014 at 10:23 AM, Tim Bannister <is...@jellybaby.net> wrote:
> On 12 Jan 2014, at 13:33, Jeff Trawick wrote: > > > On Fri, Jan 10, 2014 at 8:38 AM, Jeff Trawick <traw...@gmail.com> wrote: > > Open source projects, ASF or otherwise, have varying procedures for > commits of fixes to vulnerabilities. ... > > > > I plan to update http://httpd.apache.org/dev/guidelines.html based on > the outcome of the vote. > > > > Folks, if you want to express an opinion but haven't yet, please do so > before Tuesday. > > > > I'll add something very close to the following, unless the vote changes > considerably: > > > > ---cut here--- > > Open source projects, ASF or otherwise, have varying procedures for > commits of vulnerability fixes. One important aspect of these procedures > is whether or not fixes to vulnerabilities can be committed to a repository > with commit logs and possibly CHANGES entries which purposefully obscure > the vulnerability and omit any available vulnerability tracking > information. The Apache HTTP Server project has decided that it is in the > best interest of our users that the initial commit of such code changes to > any branch will provide the best description available at that time as well > as any available tracking information such as CVE number when committing > fixes for vulnerabilities to any branch. Committing of the fix will be > delayed until the project determines that all of the information about the > issue can be shared. > > > > In some cases there are very real benefits to sharing code early even if > full information about the issue cannot, including the potential for > broader review, testing, and distribution of the fix. This is outweighed by > the concern that sharing only the code changes allows skilled analysts to > determine the impact and exploit mechanisms but does not allow the general > user community to determine if preventative measures should be taken. > > ---cut here--- > > s/outweighed by/balanced against/ ? > > "balanced against" sounds fancier but I think we're deciding that it is more "imbalanced" than "balanced" -- Born in Roswell... married an alien... http://emptyhammock.com/
