On 10/10/2024 09:27, Gilles Sadowski wrote:
Le jeu. 10 oct. 2024 à 17:12, Mark Thomas <ma...@apache.org> a écrit :
All,
One of the discussions during the security table top exercise in Denver
was how to handle the situation when we receive a security vulnerability
report in a project that is almost in the attic or has already entered
the attic.
Can we simply respond "Tough. The project is EOL. You should not be
using it."?
Or can we/ should we provide some sort of mechanism where those users
that still rely on the EOL product can come together, bring it out of
the attic, fix the vulnerability, release the fixed version and put it
back in the attic?
That seems a nice thing to allow, but doesn't it break the
ASF rules? [Namely that a release must be approved by
at least 3 PMC members.]
Yes, it would need to be under a PMC.
We could move it out of the attic and under a suitable PMC. Could be the
attic, could be an appropriate existing PMC, could be some new PMC.
How about "Apache Problematic" for the name if we use a new PMC? Sorry
in joke from the TTX - we needed a name for the project with the
vulnerability in the exercise and we settled on that.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
