On Tue, May 12, 2026 at 4:24 PM Christophe JAILLET < [email protected]> wrote:
> > Le 08/05/2026 à 13:31, Joe Orton a écrit : > > Hi all, another vote - > > > > We currently track all security issues in private, pushing these to the > > public repos only during the preparation for a release. This adds > > significant overhead for committers handling the current surge of > > reports - a surge which mostly comprises Low severity issues. It also > > delays us getting CI runs, which potentially delays the release, exactly > > as happened with the recent mod_auth_digest fix in 2.4.67. > > > > I'm proposing that we change the process: once we confirm a Low (and > > maybe Moderate) severity issue, the fix can be pushed to the public > > repos like any other change, with a deliberately obfuscated commit > > message to conceal the security impact. The ASF Security team is fine > > with this approach per [1], though cautions us to not keep the obscured > > commits public for too long before a release. > > > > Please vote: > > > > [ ] No - keep the current process > > [X] Yes - push Low severity issues as obfuscated public commits > > [ ] Yes - push Low+Moderate severity issues as obfuscated public commits > > > > If you're fine with either Low or Low+Moderate vote "Yes" on both and > > we'll see where the majority lies? > > > > Regards, Joe > > > > [1] > https://cwiki.apache.org/confluence/display/SECURITY/Working+In+Private > > > I was initially wary of the third option, but I reconsidered the risks. [x ] Yes - push Low severity issues as obfuscated public commits [x ] Yes - push Low+Moderate severity issues as obfuscated public commits
