Thanks Mark! That was very helpful. -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, May 23, 2011 5:58 PM To: Tomcat Users List Subject: Re: How to get early notification of the upcoming release
On 23/05/2011 12:30, Rupesh Kumar wrote: > Hi, > > How do I get an early notification of the upcoming release (including > Security fix) from Tomcat? Is there any program/subscription mechanism for > this? Proposed releases are discussed on the dev mailing list. As a minimum there will be an svn commit to create the release tag and a VOTE on the proposed release prior to any release. If you follow the dev list you will have as much notice as anyone else of a Tomcat release. As an aside, Tomcat 7 currently releases once a month with the process starting at the beginning of the month. No advance notification is made of security vulnerabilities fixed in any Tomcat release. Information regarding unpublished security vulnerabilities is limited to: - the person that reported the issue - the Tomcat security team - the Apache security team Membership of the Tomcat security team is limited to Tomcat committers. Membership of the Apache security team is limited (as far as I recall) to members of the foundation. Members of the Apache and/or Tomcat security teams may share information on Tomcat security vulnerabilities with domain experts (e.g. colleagues at their employer) providing that it is made clear that a) the information is not for public disclosure and b) that all discussion of the vulnerability is cc'd to the tomcat security mailing list. When a vulnerability is made public (usually shortly after the release in which it is fixed is available) then it is announced to: - Tomcat announce mailing list - Tomcat dev mailing list - Tomcat users mailing list - Apache announce mailing list - Bugtraq - Full disclosure > Basically we have made some custom changes to Tomcat source and would like to > get the early notification so that we can merge those changes with Tomcat > ones and make it available as soon as the public release is made. That isn't possible. However, depending on what those custom changes are, one option is to propose the changes for inclusion in Tomcat so you no longer need to merge them in. Note that without knowing what the changes are, there is no guarantee that they will be excepted. Changes you would like to propose should be added as enhancement requests in Bugzilla. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
