httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1558087 - /httpd/site/trunk/content/dev/guidelines.mdtext
Date Tue, 14 Jan 2014 16:04:53 GMT
Author: trawick
Date: Tue Jan 14 16:04:53 2014
New Revision: 1558087

Document policy of deferring commits of vulnerability fixes until we can properly disclose.


Modified: httpd/site/trunk/content/dev/guidelines.mdtext
--- httpd/site/trunk/content/dev/guidelines.mdtext (original)
+++ httpd/site/trunk/content/dev/guidelines.mdtext Tue Jan 14 16:04:53 2014
@@ -377,6 +377,34 @@ Example CHANGES entries: `
      respected; set DEFAULT_REL_RUNTIMEDIR instead.  [Jeff Trawick]
+# Committing Security Fixes
+Open source projects, ASF or otherwise, have varying procedures for 
+commits of vulnerability fixes.  One important aspect of these procedures
+is whether or not fixes to vulnerabilities can be committed to a
+repository with commit logs and possibly CHANGES entries which 
+purposefully obscure the vulnerability and omit any available 
+vulnerability tracking information.  The Apache HTTP Server project has
+decided that it is in the best interest of our users that the initial 
+commit of such code changes to any branch will provide the best 
+description available at that time as well as any available tracking
+information such as CVE number when committing fixes for vulnerabilities
+to any branch.  Committing of the fix will be delayed until the project 
+determines that all of the information about the issue can be shared.
+In some cases there are very real benefits to sharing code early even if
+full information about the issue cannot, including the potential for
+broader review, testing, and distribution of the fix. This is outweighed
+by the concern that sharing only the code changes allows skilled analysts
+to determine the impact and exploit mechanisms but does not allow the
+general user community to determine if preventative measures should be
+If a vulnerability is partially disclosed by committing a fix before the
+bug is determined to be exploitable, the httpd security team will decide
+when to document the security implications and tracking number on a case
+by case basis.
 # Patch Format # {#patch}
 When a specific change to the software is proposed for discussion or voting

View raw message