Le jeu. 23 déc. 2021 à 20:08, Mark Thomas <[email protected]> a écrit : > > > > [...] > > Shouldn't there be an ASF-wide process for this kind of critical > > situation. > > There is. > > https://www.apache.org/security/committers.html > > The process is deliberately designed to give projects the necessary > flexibility to deal with a wide range of scenarios. > > If the fix is agreed beforehand, steps 14 to 16 can happen as quickly as > the project can complete them. I'd expect most projects to be able to do > that in less than an hour if the issue required it.
Thus, in effect, step 13 is telling that the result of the vote is decided before the release process has started. > > My experience from Tomcat is that most vulnerability fixes are not > immediately security related. Based on a combination of: > - how severe the issue is; > - how obvious the fix is; > the Tomcat project will decide how far in advance of the tag it is safe > to commit the fix and what, if anything, we need to do to expedite the > release vote. The typical case is a commit within a few days of the tag > and a normal (72 hour) release vote. The "typical case" not being the issue that was discussed on the other list (?). For a critical case, everything should happen within one hour, IIUC what you wrote above. Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
