https://bz.apache.org/bugzilla/show_bug.cgi?id=69181
--- Comment #1 from Eric Covener <cove...@gmail.com> --- (In reply to Jens Schleusener from comment #0) > I have the impression that in the CHANGES file of a released > tarball at least according SECURITY entries are not listed > actually but appear only "delayed" within the following release > (checked for Apache httpd 2.4.59, 2.4.60 and 2.4.61). > > And the latest CHANGES file on GitHub > > https://github.com/apache/httpd/blob/2.4.x/CHANGES > > has currently also no contents under "Changes with Apache 2.4.62" > (but as described now an SECURITY entry for "Changes with Apache > 2.4.61" that was still missing in the original 2.4.61 CHANGES file). > > So I have the vague suspicion that a SECURITY entry might be > missing here too for the upcoming 2.4.62 release (but I'm not > sure) and that these are not one-off errors, but that there is a > conceptual problem. > > Or is this an intentional behavior? > > As a long-time and grateful user Unfortunately it is an intentional arrangement that the CHANGES in the release tarball doesn't have vulnerability entries for the current release. It is a side effect of ASF security policies/workflows. To get into the included CHANGES file on time, the vulnerabilities would become even more visible/public before the voting begins, which may drag on for quite some time in the event of problems. ref https://www.apache.org/security/committers.html -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
