Hi Jacques
I noted that you sent the original email on a Saturday and not everyone
is available to respond over a weekend so would suggest that you wait at
least another day for any feedback.
Thanks
Sharan
On 18/09/17 09:59, Jacques Le Roux wrote:
Actually, we follow https://www.apache.org/security/committers.html
and are right to do.
Since I got no answers I suppose it's a silent consensus and will do 2
Jacques
Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
Hi,
Maybe you have heard about Equifax and Apache Struts recently.
While following the story on the ASF members side I read some emails
which made me think about our security issues diffusion strategy.
There are 2 things projects like HTTPD and Tomcat do:
1. They amend the commits that fixed the issue by adding a the CVE
reference in the comment
2. Tomcat also includes a link/s to the commit/s that fixed the issue
on their security page.
We already do 1 (at least I found some commits logs amended) but
should we not also do 2 at https://ofbiz.apache.org/download.html ?
Jacques
