Re: Change from ad-hoc/historical security process to ASF process?

On 05/23/2017 12:26 PM, Rainer Jung wrote: > Am 22.05.2017 um 22:38 schrieb Yann Ylavic: >> On Sun, May 7, 2017 at 3:17 AM, William A Rowe Jr >> wrote: >>> On May 5, 2017 13:32, "Jim Jagielski" wrote: >>> >>> +1... Lets do it. >>> >>> BTW, I would adjust

Re: Change from ad-hoc/historical security process to ASF process?

Am 22.05.2017 um 22:38 schrieb Yann Ylavic: On Sun, May 7, 2017 at 3:17 AM, William A Rowe Jr wrote: On May 5, 2017 13:32, "Jim Jagielski" wrote: +1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's

Re: Change from ad-hoc/historical security process to ASF process?

On Sun, May 7, 2017 at 3:17 AM, William A Rowe Jr wrote: > On May 5, 2017 13:32, "Jim Jagielski" wrote: > > +1... Lets do it. > > BTW, I would adjust #16 to include: > >Add the CVE to the CHANGES file. > > That way, it's still documented in CHANGES,

Re: Change from ad-hoc/historical security process to ASF process?

On Mon, May 22, 2017 at 10:58 AM, Eric Covener wrote: > Last chance for anyone else to speak up. Not really "last", but before this thread is lost forever to everyones mail archives. -- Eric Covener cove...@gmail.com

Re: Change from ad-hoc/historical security process to ASF process?

On Sat, May 6, 2017 at 9:17 PM, William A Rowe Jr wrote: > On May 5, 2017 13:32, "Jim Jagielski" wrote: > > +1... Lets do it. > > BTW, I would adjust #16 to include: > >Add the CVE to the CHANGES file. > > That way, it's still documented in CHANGES,

Re: Change from ad-hoc/historical security process to ASF process?

On May 5, 2017 13:32, "Jim Jagielski" wrote: +1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's still documented in CHANGES, just after the release is spun out, show it shows up in the next release's CHANGES. ... And if

Re: Change from ad-hoc/historical security process to ASF process?

On 05/05/2017 01:32 PM, Jim Jagielski wrote: +1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's still documented in CHANGES, just after the release is spun out, show it shows up in the next release's CHANGES. Sounds good to me. --Jacob

Re: Change from ad-hoc/historical security process to ASF process?

+1... Lets do it. BTW, I would adjust #16 to include: Add the CVE to the CHANGES file. That way, it's still documented in CHANGES, just after the release is spun out, show it shows up in the next release's CHANGES. > On May 5, 2017, at 8:39 AM, Eric Covener wrote: > >

Re: Change from ad-hoc/historical security process to ASF process?

On 05/05/2017 05:39 AM, Eric Covener wrote: Here is the change that probably has the biggest impact to the community: """ ... The project team commits the fix. No reference should be made to the commit being related to a security vulnerability. This is the only part that makes me nervous,

Change from ad-hoc/historical security process to ASF process?

(note to security@ folks -- this is a public dev@ thread!) Hi All. Over the years we have tried different approaches to handling CVEs, varying based on who did the work, their understanding of the unwritten procedures, and the severity of the bug. We haven't ever come to a solid consensus on