httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: T&R of 2.4.24
Date Mon, 12 Dec 2016 06:26:50 GMT
On Thu, Dec 8, 2016 at 8:55 AM, Jim Jagielski <jim@jagunet.com> wrote:

> Things are looking good for a T&R of 2.4.24 sometime late
> today.
>
> If you have any issues or concerns, let me know asap.
>

Hi Jim,

we may have to concede, in light of many already partially disclosed
CVE's, that it is impossible to proceed.

At this moment, there are 5 committers who have invested time and
energy at looking at the current open issues. Of the stale issues, 2
refuse to fix the reported issued directly, while 3 others have lingering
patches that would fix the core defects. There is a straightforward
solution to solving such issues, but the quick-fix has issues of its
own. Only three votes are required to incorporate the fix, but in the
face of an objection, four are required to overrule a hold-out (assuming
it is even the right solution.)

Five is simply too small a number to sustain a security team at any
project of this complexity. That isn't pointing fingers at any person
whatsoever, it's an assessment of the situation.

In spite of 34 registered project committee members, until other
contributors come forward to participate in the security patch review
process, we may simply have to declare all further efforts are currently
on pause.

Sincerely, thanks for trying to push this release forward. I hope this
is all resolved quickly.

Mime
View raw message