httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 15:55:56 GMT
On 1/17/2012 6:36 AM, Jim Jagielski wrote:
> Bill, I am taking your advice and learning some tact, so I
> respectfully ask: "What is your major malfunction?" I am
> growing tired of you constantly complaining while doing *nothing*
> to address those self-same issues which you seem to find so
> problematic.

I respectfully answer; and change the subject line - I'm just shocked
you responded to Steffan with a w00t.  That was just weird.

And further answer; the project malfunction is that we communicate
to users that security patches somehow exist in the respective
dist/httpd/patches/ tree.

I have taken specific steps to consolidate the patches directories
which were devoid of patches, steps to improve the data we collect
in our vulnerabilities database, identification of previously
unmaintained data for released branches, patch review on security@
and authoring patches, responding to patch reporters, etc etc etc.
I certainly don't do nothing to address security reports.

Whomever is committing the security patches for disclosed issues
aught to publish their patch on the same day.  I've participated
over 10 years, and for 10 years published relevant patches that I
had written to patches/apply_to_rev/ branches.

It seems to me that committers today have no interest in publishing
patches to dist, therefore the concept should be declared DOA, the
patches/ tree removed, and a new mechanism for communicating security
patches to the users be created.  Of course the legacy of that tree
would still persist under archive.a.o/dist/httpd/patches.

I'd propose we add a field in our oval-like xml table for the patch
svn url to be recorded as soon as it is committed to svn, provided
we are talking about a disclosed issue.


View raw message