Le 08/05/2026 à 13:31, Joe Orton a écrit :
Hi all, another vote - We currently track all security issues in private, pushing these to the public repos only during the preparation for a release. This adds significant overhead for committers handling the current surge of reports - a surge which mostly comprises Low severity issues. It also delays us getting CI runs, which potentially delays the release, exactly as happened with the recent mod_auth_digest fix in 2.4.67. I'm proposing that we change the process: once we confirm a Low (and maybe Moderate) severity issue, the fix can be pushed to the public repos like any other change, with a deliberately obfuscated commit message to conceal the security impact. The ASF Security team is fine with this approach per [1], though cautions us to not keep the obscured commits public for too long before a release. Please vote: [ ] No - keep the current process [X] Yes - push Low severity issues as obfuscated public commits [ ] Yes - push Low+Moderate severity issues as obfuscated public commits If you're fine with either Low or Low+Moderate vote "Yes" on both and we'll see where the majority lies? Regards, Joe [1] https://cwiki.apache.org/confluence/display/SECURITY/Working+In+Private
