Thank you Jacques, I have now published the change.
Jacopo On Tue, Jan 4, 2022 at 11:53 AM Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > > I agree Jacopo, > > Will you handle it? > > I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in > a discussion I read on security-disc...@community.apache.org : > > MT: <<We need to consider whether projects that are not releasing > regularly really are healthy. Could they realistically respond to a > security vulnerability in a reasonable time frame? If not, we need to > move them to the attic.>> > > MC: <<And we need a clear way to communicate that, and EOL releases, to > users so > they know the status of what they're using. There are quite a number of > examples where a project has responded to a vulnerability reporter that > some version is EOL but it's not been clear enough on their pages, nor any > real announcement ever having being made. We need a consistent policy on > what to do about vulnerabilities that come up in EOL versions, and when to > allocate them CVE names ('there's an unfixed issue in X") in order to help > users with scanning tools also notice when they're using out of date and > now insecure projects.>> > > There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF. > > I don't think we are concerned by those worries. So was just a small effort > in this direction. > I think though that we should discuss about how to handle EOL announcements. > > * > https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1 > > Jacques > > Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit : > > Thank you Jacques for adding the statement: however I think it is > time > > to remove the entire section of 17.12.08 since we have enough > releases > > out of 18.12 already. The release 17.12.08 will always be > > available in the archive. > > Jacopo