httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 21:49:35 GMT
On Tue, Jan 17, 2012 at 4:19 PM, Stefan Fritsch <> wrote:
> On Tuesday 17 January 2012, William A. Rowe Jr. wrote:
>> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation.  It
>> seems more efficient to set these up as patches/CVE-yyyy-iiii/
>> with individual files for actively (or semi-actively) maintained
>> versions.  If there is one patch which applies to 2.2.n < 2.2.17,
>> and a second patch for 2.2.17 and higher, it would be easier to
>> differentiate these all within one directory.
> Sometimes there may be two or more separate CVEs that are fixed by a
> single patch. How would you map that to patches/CVE-yyyy-iiii/ ? Copy
> the patch? Add a README file to CVE-foo dir that the fix is included
> in the patch for CVE-bar?

include both CVEs in the pathname

> Apart from that, I don't prefer one structure over the other.

Born in Roswell... married an alien...

View raw message