> If this is true, then I don't see how anyone, ever, would issue a "not affected" statement as mentioned by Arnout.
Yep. I don't see it either. I would not do it for sure if I knew what legal implications it brings. This is why my response to those questions are like this: https://github.com/apache/airflow/discussions/44865#discussioncomment-11656354 and this https://github.com/apache/airflow/discussions/40590 and I would never, ever respond differently. It makes some of our users angry, but I don't see how I can answer differently currently without putting ASF and myself at risk. Not until we have clarity on how to do it at least. J. On Wed, Feb 5, 2025 at 3:44 PM Gilles Sadowski <gillese...@gmail.com> wrote: > Hi. > > Le mer. 5 févr. 2025 à 13:51, Jarek Potiuk <ja...@potiuk.com> a écrit : > > > > And let me repeat what I wrote on slack today: > > > > For ASF the legal risk is huge. If someone gets billions of dollars in > > damage because they trusted we told them "we are not vulnerable to this > > 3rd-party vulnerability" - they might sue ASF and demand all our > trademarks > > as compensation (not the money we have in the bank). This is is a HUGE > risk > > for ASF and the whole open-source community if you ask me. > > If this is true, then I don't see how anyone, ever, would issue a > "not affected" statement as mentioned by Arnout. > > Regards, > Gilles > > > > [...] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: > security-discuss-h...@community.apache.org > >
