+1 On Wed, Mar 17, 2021, 17:53 Sidney Markowitz <[email protected]> wrote:
> I've completely rewritten the wiki page describing our project's process > for > handling reports and fixes of security vulnerabilities because it did not > match what we actually do. > > https://cwiki.apache.org/confluence/display/SPAMASSASSIN/SecurityPolicy > > I have a point I would like to bring up for discussion. > > "Also, unlike non-security issues which are closed in Bugzilla once the > fix is > committed, leave this issue in Open state until the SpamAssassin release > containing the fix is prepared. That prevents people without full access > to > the issue from matching up the time of closing of the issue with time of > svn > commit." > > That is something we have done, but I don't see the need given that for > anyone > without access to security bugs any search or notification of closed bugs > will > not show the issue. Even if someone knows the issue number, attempting to > look > at it will show that a closed-access issue with that number exists, but > nothing about its contents or status or dates the status changed. > > Given that the security purpose for that policy is not actually helped by > it, > and it is more convenient to close bugs when the fix has been tested and > committed, I propose that we drop that policy. > > After getting some responses to get a sense of things, I'll call for a > vote to > change the policy. > > I also locked the page to allow it to be viewed by anyone, but edited only > by > members of the PMC. We might want to consider identifying other wiki pages > that similarly describe PMC policies and lock write access to those too. > While > it is helpful that a wiki page can be improved by anyone who notices a > typo or > awkward phrasing, pages that purport to describe official policy should > have a > bit more assurance that they remain accurate. If anyone thinks that was a > wrong decision, feel free to speak up and we can discuss and vote on it. > > Sidney >
