geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jack Cai <>
Subject Re: [DISCUSS] Security Vulnerability Policy created
Date Mon, 16 Feb 2009 09:43:06 GMT
> 8. Reach an agreement for the fix and announcement schedule with the
> submitter.
> 9. Announce the vulnerability (users, dev, security@a.o, bugtraq at
>, full-disclosure at and project
> security pages). The vulnerability announcement must provide
> instructions on how to prevent or fix the security problem.

How easy will we allow our users to fix the security issue by following the
instructions here? If it's something like "replace this jar with the
attached jar, and restart server" etc., then it looks easy. But if it's
something like "applying the fix committed in Revision XXXXXX, rebuild the
code and ...", then we are putting too much burden on users, assuming the
majority of our users never care to build Geronimo by themselves.

So in this sense, making a maintenance release is a preferrable "total"
solution for our users.


View raw message