Jarek,
On 10/13/24 7:19 AM, Jarek Potiuk wrote:
How do we manage expectations for projects that might still release but
probably won’t and are in practice just waiting for somebody motivated
enough to call for a formal vote.
Maybe the right approach is to give such a project the last chance to
make a release and if they fail, move it to the attic (forcefully) if the
issue is "important" and the users are put in danger? That would be very
much in-line in our "for the public good" part of the mission of the ASF -
protecting the users from harm being done.
I would agree with this decision, but we might have to be prepared for
"bad optics" in these situations.
Imagine this:
A CVE (or other security report) is announced against Apache
Problematic™ which is on the staircase. After X days, Apache
Problematic™ PMC hasn't responded in a meaningful way, and ASF has to
step-in. Users are asking what's up. Downstream projects are asking
what's up. Reporters are asking what's up.
ASF Security (or similar) makes an announcement that Apache Problematic™
is suddenly moving into the attic, there will be no fix. "Sorry,
everyone is out of luck."
I think this could make the ASF look bad in general. People might get
the idea that "ASF projects can disappear at any moment!". This is, of
course, already entirely true but not in the way that should cause concern.
I just don't want people to stop trusting Apache Commendable™ because we
have had a few Apache Problematic™-like incidents.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org
For additional commands, e-mail: security-discuss-h...@community.apache.org
