On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <j...@jagunet.com> wrote:
> Things are looking good for a T&R of 2.4.24 sometime late > today. > > If you have any issues or concerns, let me know asap. > Hi Jim, we may have to concede, in light of many already partially disclosed CVE's, that it is impossible to proceed. At this moment, there are 5 committers who have invested time and energy at looking at the current open issues. Of the stale issues, 2 refuse to fix the reported issued directly, while 3 others have lingering patches that would fix the core defects. There is a straightforward solution to solving such issues, but the quick-fix has issues of its own. Only three votes are required to incorporate the fix, but in the face of an objection, four are required to overrule a hold-out (assuming it is even the right solution.) Five is simply too small a number to sustain a security team at any project of this complexity. That isn't pointing fingers at any person whatsoever, it's an assessment of the situation. In spite of 34 registered project committee members, until other contributors come forward to participate in the security patch review process, we may simply have to declare all further efforts are currently on pause. Sincerely, thanks for trying to push this release forward. I hope this is all resolved quickly.