Follow-up from thread on [email protected]: https://lists.apache.org/thread/62pz8p7ogv1jt3stlms9s5rsm0pboocx
Le jeu. 23 déc. 2021 à 18:52, Greg Stein <[email protected]> a écrit : > > On Thu, Dec 23, 2021 at 11:48 AM Gilles Sadowski <[email protected]> wrote: >> >> Le jeu. 23 déc. 2021 à 18:31, Jarek Potiuk <[email protected]> a écrit : >> > >> > > It is captured in the language of [1] where it says "Release votes >> > > SHOULD remain open for at least 72 hours." >> >> What about the part about public sources? >> It is fairly weak to assume that a hacker able to take advantage >> of a security breach will be fooled by a commit message that >> attempts to be deceptive. >> The suggestion of a private repository (and private voting for security >> fixes) seems more coherent with the rest of the procedure... > > > Divide the patches into two groups: > 1) changes which are obviously correcting a vulnerability > 2) supporting changes > > Push all of (2) into the public repository. Keep a patch file for (1) in > private, that people can apply for test/dev. The more you can push into (2) > without giving away what is happening, then the smaller the key patch of (1). > And (1) goes in at the same time you tag/roll/release. That last step can > happen in minutes. Do I understand correctly that in this process, you'd vote on the "combination" of two separate sources? In "Commons" at least, the "tag" happens before the vote. Unless I'm missing something, the process which you describe is not supported. Shouldn't there be an ASF-wide process for this kind of critical situation. Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
