On 23/12/2021 18:12, Gilles Sadowski wrote:
Follow-up from thread on [email protected]:
https://lists.apache.org/thread/62pz8p7ogv1jt3stlms9s5rsm0pboocx
Le jeu. 23 déc. 2021 à 18:52, Greg Stein <[email protected]> a écrit :
On Thu, Dec 23, 2021 at 11:48 AM Gilles Sadowski <[email protected]> wrote:
Le jeu. 23 déc. 2021 à 18:31, Jarek Potiuk <[email protected]> a écrit :
It is captured in the language of [1] where it says "Release votes
SHOULD remain open for at least 72 hours."
What about the part about public sources?
It is fairly weak to assume that a hacker able to take advantage
of a security breach will be fooled by a commit message that
attempts to be deceptive.
The suggestion of a private repository (and private voting for security
fixes) seems more coherent with the rest of the procedure...
Divide the patches into two groups:
1) changes which are obviously correcting a vulnerability
2) supporting changes
Push all of (2) into the public repository. Keep a patch file for (1) in
private, that people can apply for test/dev. The more you can push into (2)
without giving away what is happening, then the smaller the key patch of (1).
And (1) goes in at the same time you tag/roll/release. That last step can
happen in minutes.
Do I understand correctly that in this process, you'd vote on
the "combination" of two separate sources?
In "Commons" at least, the "tag" happens before the vote.
Unless I'm missing something, the process which you describe
is not supported.
Shouldn't there be an ASF-wide process for this kind of critical
situation.
There is.
https://www.apache.org/security/committers.html
The process is deliberately designed to give projects the necessary
flexibility to deal with a wide range of scenarios.
If the fix is agreed beforehand, steps 14 to 16 can happen as quickly as
the project can complete them. I'd expect most projects to be able to do
that in less than an hour if the issue required it.
My experience from Tomcat is that most vulnerability fixes are not
immediately security related. Based on a combination of:
- how severe the issue is;
- how obvious the fix is;
the Tomcat project will decide how far in advance of the tag it is safe
to commit the fix and what, if anything, we need to do to expedite the
release vote. The typical case is a commit within a few days of the tag
and a normal (72 hour) release vote.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
