On Tue, Dec 21, 2021 at 10:54:08AM +0000, Mark Thomas wrote: > On 21/12/2021 09:35, Hen wrote: > > The inactive projects will have been moved to the attic. A bigger > issue - in my view - is the projects that are on the cusp of moving > to the attic. They have enough activity to move forward just enough > to avoid the attic but not enough to react to a security issue. > There are projects that have vulnerabilities that have remained > unaddressed for far too long. > > Too long is subjective and will vary by circumstance but I think > there comes a point when a project's failure to make meaningful > progress to address a security issue in a reasonable time frame > should result in the project being moved to the attic. > Perhaps missing responses on security issues could be used as a first indication that a move to attic should be discussed?
> >It's a hard one to fix, assuming it should be fixed. Personally I think > >there should be some kind of alert when a project moves to the Attic. Right now there's an email going to a projects list as part of the attic process. https://attic.apache.org/process.html > > There should be an email to announce@. > I think that would be simple enough to roll into the attic process. > Email to all PMCs would likely be noise for most PMCs and targetting > an email would require knowledge of dependencies. > Agreed. > Generally, I'd expect projects to be reviewing their dependencies > fairly regularly. > Do we or could we have build tools that report on this? vh Mads Toftum -- http://flickr.com/photos/q42/ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
