On 05/05/2017 05:39 AM, Eric Covener wrote:
Here is the change that probably has the biggest impact to the community:

The project team commits the fix. No reference should be made to the
commit being related to a security vulnerability.

This is the only part that makes me nervous, since I worry it'll encourage obscure commits, but otherwise...

To me, this is just a way to get us out of ambiguity/stalemate about
the overall process and follow security@a.o's best practices.


...I'm +1 to adopting the standard process in its entirety. We can always modify pieces later if they end up not working for us.


Reply via email to