httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities
Date Sun, 12 Jan 2014 20:00:53 GMT
On Sun, Jan 12, 2014 at 10:23 AM, Tim Bannister <> wrote:

> On 12 Jan 2014, at 13:33, Jeff Trawick  wrote:
> > On Fri, Jan 10, 2014 at 8:38 AM, Jeff Trawick <> wrote:
> > Open source projects, ASF or otherwise, have varying procedures for
> commits of fixes to vulnerabilities. ...
> >
> > I plan to update based on
> the outcome of the vote.
> >
> > Folks, if you want to express an opinion but haven't yet, please do so
> before Tuesday.
> >
> > I'll add something very close to the following, unless the vote changes
> considerably:
> >
> > ---cut here---
> > Open source projects, ASF or otherwise, have varying procedures for
> commits of vulnerability fixes.  One important aspect of these procedures
> is whether or not fixes to vulnerabilities can be committed to a repository
> with commit logs and possibly CHANGES entries which purposefully obscure
> the vulnerability and omit any available vulnerability tracking
> information.  The Apache HTTP Server project has decided that it is in the
> best interest of our users that the initial commit of such code changes to
> any branch will provide the best description available at that time as well
> as any available tracking information such as CVE number when committing
> fixes for vulnerabilities to any branch.  Committing of the fix will be
> delayed until the project determines that all of the information about the
> issue can be shared.
> >
> > In some cases there are very real benefits to sharing code early even if
> full information about the issue cannot, including the potential for
> broader review, testing, and distribution of the fix. This is outweighed by
> the concern that sharing only the code changes allows skilled analysts to
> determine the impact and exploit mechanisms but does not allow the general
> user community to determine if preventative measures should be taken.
> > ---cut here---
> s/outweighed by/balanced against/ ?
"balanced against" sounds fancier but I think we're deciding that it is
more "imbalanced" than "balanced"

Born in Roswell... married an alien...

View raw message