From dev-return-39340-archive-asf-public=cust-asf.ponee.io@subversion.apache.org  Fri Aug 30 06:48:18 2019
Return-Path: <dev-return-39340-archive-asf-public=cust-asf.ponee.io@subversion.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 6810818065E
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 30 Aug 2019 08:48:18 +0200 (CEST)
Received: (qmail 49646 invoked by uid 500); 30 Aug 2019 06:48:17 -0000
Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@subversion.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@subversion.apache.org>
List-Post: <mailto:dev@subversion.apache.org>
List-Id: <dev.subversion.apache.org>
Delivered-To: mailing list dev@subversion.apache.org
Received: (qmail 49636 invoked by uid 99); 30 Aug 2019 06:48:17 -0000
Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 30 Aug 2019 06:48:17 +0000
Received: from [192.168.1.106] (unknown [81.174.159.228])
	by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 21D9F598F
	for <dev@subversion.apache.org>; Fri, 30 Aug 2019 06:48:17 +0000 (UTC)
Subject: Re: Security release procedures
From: Julian Foad <julianfoad@apache.org>
To: Subversion Development <dev@subversion.apache.org>
References: <8f7b9b7b-5a59-a073-c105-c55d3913ef71@apache.org>
Message-ID: <77ee4e2f-4341-9dd8-7966-3cf4fdc30e61@apache.org>
Date: Fri, 30 Aug 2019 07:48:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <8f7b9b7b-5a59-a073-c105-c55d3913ef71@apache.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit

Julian Foad wrote:
> I handled two security fixes in the recent set of patch releases. It was 
> the first time I had done it and the procedures were rather less than 
> push-of-a-button simple to follow.
> 
> 1. We should move as much as possible of the scripts and documentation 
> that exists in a private repo, into a public place.

Some of the info is now moved to
http://subversion.apache.org/docs/community-guide/issues.html#security
since
http://svn.apache.org/r1866117

Info on how we do pre-notification is still in the private repo and 
should also be published (but the list of recipients should not).

- Julian