I've completely rewritten the wiki page describing our project's process for
handling reports and fixes of security vulnerabilities because it did not
match what we actually do.
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/SecurityPolicy
I have a point I would like to bring up for discussion.
"Also, unlike non-security issues which are closed in Bugzilla once the fix is
committed, leave this issue in Open state until the SpamAssassin release
containing the fix is prepared. That prevents people without full access to
the issue from matching up the time of closing of the issue with time of svn
commit."
That is something we have done, but I don't see the need given that for anyone
without access to security bugs any search or notification of closed bugs will
not show the issue. Even if someone knows the issue number, attempting to look
at it will show that a closed-access issue with that number exists, but
nothing about its contents or status or dates the status changed.
Given that the security purpose for that policy is not actually helped by it,
and it is more convenient to close bugs when the fix has been tested and
committed, I propose that we drop that policy.
After getting some responses to get a sense of things, I'll call for a vote to
change the policy.
I also locked the page to allow it to be viewed by anyone, but edited only by
members of the PMC. We might want to consider identifying other wiki pages
that similarly describe PMC policies and lock write access to those too. While
it is helpful that a wiki page can be improved by anyone who notices a typo or
awkward phrasing, pages that purport to describe official policy should have a
bit more assurance that they remain accurate. If anyone thinks that was a
wrong decision, feel free to speak up and we can discuss and vote on it.
Sidney
