On 2021/12/23 18:12:32 Gilles Sadowski wrote: > Follow-up from thread on [email protected]: > https://lists.apache.org/thread/62pz8p7ogv1jt3stlms9s5rsm0pboocx > > Le jeu. 23 déc. 2021 à 18:52, Greg Stein <[email protected]> a écrit : >... > > 1) changes which are obviously correcting a vulnerability > > 2) supporting changes > > > > Push all of (2) into the public repository. Keep a patch file for (1) in > > private, that people can apply for test/dev. The more you can push into (2) > > without giving away what is happening, then the smaller the key patch of > > (1). And (1) goes in at the same time you tag/roll/release. That last step > > can happen in minutes. > > Do I understand correctly that in this process, you'd vote on > the "combination" of two separate sources?
Correct. Say the patch is to be applied to your (say:) 2.43 release branch, so that 2.44 can be released with the fix. So you vote privately (eg. [email protected]) on the (public) 2.43 branch, *plus* the privately-held patch. This is all happening with source, so everybody should be working from the same set of sources, and a vote can be performed. We have a reliable mechanism (repos/private/pmc/PROJECT/) for this process. We may eventually get the toolchain configured for private git repositories, but (today:) projects should coordinate their security releases via svn:repos/private/ > In "Commons" at least, the "tag" happens before the vote. That is normal, yes. But you can't make a public tag for a security release, until the very end stages. That tag will basically be contemporaneous with the release. Like: commit-patch, tag, roll-release, make announcement. > Unless I'm missing something, the process which you describe > is not supported. > Shouldn't there be an ASF-wide process for this kind of critical > situation. As MarkT notes later-thread, this process is already described. Is it clear? Maybe not. ... Some changes for clarity were started, but rolled back until the Security Team has time to properly review those. I expect that will get picked up again in January. Cheers, -g --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
