geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: [DISCUSS] Security Vulnerability Policy created
Date Fri, 13 Feb 2009 19:58:18 GMT

On Feb 13, 2009, at 11:47 AM, Joe Bohn wrote:

> Based on the positive feedback to my proposal I updated out wiki  
> process document with the steps I proposed earlier.  See

>  for details.

Sorry, I thought that I'd replied to this, already.

I have one change -- a *release* (i.e. a release vote) must precede  
the formal announcement of a vulnerability.

So, I would make the process:

9. Create a JIRA and commit the fix in all actively maintained  
releases. The contents of the Jira should not indicate that it is a  
security-related Jira.
10. Roll a release for each actively maintained branch (unreleased  
trunk can wait.)
11. Announce the vulnerability (users, dev, security@a.o, bugtraq at, full-disclosure at and project  
security pages)
12. Update the JIRA and svn log with security-related information and  
include the CVE number.

The svn commit at step 9 may contain enough information to indicate  
the security vulnerability. However, until we have a *release*, we  
don't have an Apache-sanctioned resolution to the problem. The voting  
process for a security-fix release can be expedited (by pre-vetting  
the release on private mailing lists). I'm comfortable with this  
slight exposure. Also, this is the same basic process followed by  
other Apache projects.


View raw message