httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marion & Christophe JAILLET <christophe.jail...@wanadoo.fr>
Subject Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities
Date Fri, 10 Jan 2014 20:24:25 GMT

Le 10/01/2014 14:38, Jeff Trawick a écrit :
> [ ] It is an accepted practice (but not required) to obscure or omit 
> the vulnerability impact in CHANGES or commit log information when 
> committing fixes for vulnerabilities to any branch.
>
> [X] It is mandatory to provide best available description and any 
> available tracking information when committing fixes for 
> vulnerabilities to any branch, delaying committing of the fix if the 
> information shouldn't be provided yet.
>
> [ ] _______________ (fill in the blank)
>
> ---/---
>

Could be also interesting to be able to deliver quick fix.

For example, 2.4.7 is the latest stable version. 2.4.8 has things 
back-ported from trunk little by little and should be T&R "one day" (in 
feb ?).

Should an important vulnerability be found, then releasing:
    - a 2.4.7.1    or
    - 2.4.7 SP1    or
    - 2.4.8 and delaying everything already accepted in backport for a 
later 2.4.9    or
    - whatever else
with *only fixes* for this issue, could be interesting.

Doing so would avoid time for T&R and avoid releasing something in a hurry.

Best regards,
CJ

Mime
View raw message