httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 21:19:02 GMT
On Tuesday 17 January 2012, William A. Rowe Jr. wrote:
> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation.  It
> seems more efficient to set these up as patches/CVE-yyyy-iiii/
> with individual files for actively (or semi-actively) maintained
> versions.  If there is one patch which applies to 2.2.n < 2.2.17,
> and a second patch for 2.2.17 and higher, it would be easier to
> differentiate these all within one directory.

Sometimes there may be two or more separate CVEs that are fixed by a 
single patch. How would you map that to patches/CVE-yyyy-iiii/ ? Copy 
the patch? Add a README file to CVE-foo dir that the fix is included 
in the patch for CVE-bar?

Apart from that, I don't prefer one structure over the other.

View raw message