On 5/8/26 1:31 PM, Joe Orton wrote:
> Hi all, another vote -
>
> We currently track all security issues in private, pushing these to the
> public repos only during the preparation for a release. This adds
> significant overhead for committers handling the current surge of
> reports - a surge which mostly comprises Low severity issues. It also
> delays us getting CI runs, which potentially delays the release, exactly
> as happened with the recent mod_auth_digest fix in 2.4.67.
>
> I'm proposing that we change the process: once we confirm a Low (and
> maybe Moderate) severity issue, the fix can be pushed to the public
> repos like any other change, with a deliberately obfuscated commit
> message to conceal the security impact. The ASF Security team is fine
> with this approach per [1], though cautions us to not keep the obscured
> commits public for too long before a release.
>
> Please vote:
>
> [ ] No - keep the current process
> [X] Yes - push Low severity issues as obfuscated public commits
> [ ] Yes - push Low+Moderate severity issues as obfuscated public commits
>
Regards
RĂ¼diger
