geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: [DISCUSS] Security Vulnerability Policy created
Date Fri, 13 Feb 2009 20:23:54 GMT
Hi Joe,
Good questions.

On Feb 13, 2009, at 3:13 PM, Joe Bohn wrote:

> I have a few practical questions:
> 1) Must all affected releases be released before we can announce?

IMO, no. But I think users must have a reasonable upgrade path to  
receive the fix. A 2.0.x user could be reasonably expected to upgrade  
to 2.1.x to receive the fix. However, I couldn't reasonably expect a  
2.1.x user to downgrade to 2.0.x to receive a fix. I believe that  
Tomcat will sometimes delayed releases with security fixes on their  
older releases.

> 2) How long is considered too long between the check-in of code for  
> any release (which will likely divulge the vulnerability) and the  
> delivery of a release (or releases) which must precede the announce  
> in the steps above?  It would seem that with this proposal the time- 
> period is unbounded.

It is unbounded. I'd set a target of 36 hours.

> 3) Is it acceptable that the release notes will not include any  
> reference of the security vulnerabilities which are resolved?

IMO, yes.

> 4) Is it alright to update the commit log in a tag after a release  
> has been created?

IMO, yes.


View raw message