httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 16:26:27 GMT
On 17 Jan 2012, at 5:55 PM, William A. Rowe Jr. wrote:

> Whomever is committing the security patches for disclosed issues
> aught to publish their patch on the same day.  I've participated
> over 10 years, and for 10 years published relevant patches that I
> had written to patches/apply_to_rev/ branches.
> 
> It seems to me that committers today have no interest in publishing
> patches to dist, therefore the concept should be declared DOA, the
> patches/ tree removed, and a new mechanism for communicating security
> patches to the users be created.  Of course the legacy of that tree
> would still persist under archive.a.o/dist/httpd/patches.

What I don't understand is how the conclusion is drawn that committers don't have an interest
in publishing patches to dist, when a far more likely explanation is that nobody knew to do
so.

Take our opening site page at http://httpd.apache.org/, no mention of patches at all. Zoom
in a little to the download page at http://httpd.apache.org/download.cgi#apache23, and still
no mention of the patches directory. If our end users aren't alerted to the fact these patches
exist, you can hardly expect our committers to.

The idea behind patches is entirely sound, and I strongly disagree that the practice should
stop. Instead, the practice should be properly formalised, with comments added to the appropriate
places so that it is made obvious to committers what to do, and at the same time both our
opening page and our downloads page should be amended to contain links to the patches directory
for the benefit of end users.

Regards,
Graham
--


Mime
View raw message