On Fri, May 8, 2026 at 7:31 AM Joe Orton <[email protected]> wrote: > > Hi all, another vote - > > We currently track all security issues in private, pushing these to the > public repos only during the preparation for a release. This adds > significant overhead for committers handling the current surge of > reports - a surge which mostly comprises Low severity issues. It also > delays us getting CI runs, which potentially delays the release, exactly > as happened with the recent mod_auth_digest fix in 2.4.67. > > I'm proposing that we change the process: once we confirm a Low (and > maybe Moderate) severity issue, the fix can be pushed to the public > repos like any other change, with a deliberately obfuscated commit > message to conceal the security impact. The ASF Security team is fine > with this approach per [1], though cautions us to not keep the obscured > commits public for too long before a release. > > Please vote: > > [ ] No - keep the current process > [x] Yes - push Low severity issues as obfuscated public commits > [x] Yes - push Low+Moderate severity issues as obfuscated public commits
I am assuming we'd still do most of the same private tracking for these (and add a way to save the 2.4.x revision).
