Thank you Jacques,
I have now published the change.
Jacopo
On Tue, Jan 4, 2022 at 11:53 AM Jacques Le Roux
<jacques.le.r...@les7arts.com> wrote:
>
> I agree Jacopo,
>
> Will you handle it?
>
> I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in
> a discussion I read on security-disc...@community.apache.org :
>
> MT: <<We need to consider whether projects that are not releasing
> regularly really are healthy. Could they realistically respond to a
> security vulnerability in a reasonable time frame? If not, we need to
> move them to the attic.>>
>
> MC: <<And we need a clear way to communicate that, and EOL releases, to
> users so
> they know the status of what they're using. There are quite a number of
> examples where a project has responded to a vulnerability reporter that
> some version is EOL but it's not been clear enough on their pages, nor any
> real announcement ever having being made. We need a consistent policy on
> what to do about vulnerabilities that come up in EOL versions, and when to
> allocate them CVE names ('there's an unfixed issue in X") in order to help
> users with scanning tools also notice when they're using out of date and
> now insecure projects.>>
>
> There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF.
>
> I don't think we are concerned by those worries. So was just a small effort
> in this direction.
> I think though that we should discuss about how to handle EOL announcements.
>
> *
> https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1
>
> Jacques
>
> Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
> > Thank you Jacques for adding the statement: however I think it is > time
> > to remove the entire section of 17.12.08 since we have enough > releases
> > out of 18.12 already. The release 17.12.08 will always be >
> available in the archive. > > Jacopo
