Le jeu. 10 oct. 2024 à 17:12, Mark Thomas <ma...@apache.org> a écrit : > > All, > > One of the discussions during the security table top exercise in Denver > was how to handle the situation when we receive a security vulnerability > report in a project that is almost in the attic or has already entered > the attic. > > Can we simply respond "Tough. The project is EOL. You should not be > using it."? > > Or can we/ should we provide some sort of mechanism where those users > that still rely on the EOL product can come together, bring it out of > the attic, fix the vulnerability, release the fixed version and put it > back in the attic?
That seems a nice thing to allow, but doesn't it break the ASF rules? [Namely that a release must be approved by at least 3 PMC members.] Gilles > > Thoughts? > > Mark > --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
