tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean-frederic clere <jfcl...@gmail.com>
Subject Re: Mail address in security-NN.html pages
Date Thu, 13 Oct 2011 08:03:49 GMT
On 10/13/2011 07:26 AM, Konstantin Kolinko wrote:
> Hi!
>
> Re-reading the security pages I have several notes
>
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-7.html
>
> 1) security-6.html and others have the following text:
>
> "Please send comments or corrections for these vulnerabilities to the
> Tomcat Security Team."
>
> with a link to security@ address in it.
>
> I think it is wrong. General comments and questions should be sent to
> dev@ or users@. Only exploits are for security@.
>
> I am not yet sure how to better write it. Maybe with a link to
> security.html or lists.html

I think the idea was to avoid a security comment like "in fact the fix 
is wrong" going to a public list.

>
>
> 2) I would like to mention that we do not provide binary patches.
>
> I think direct links to the following pages will help some people:
>
> http://tomcat.apache.org/tomcat-7.0-doc/building.html
> http://tomcat.apache.org/tomcat-7.0-doc/BUILDING.txt
>
> The links will be different for different Tomcat versions.

+1 that should prevent people ask for a binary just after a fix.

>
>
> 3) The above issues are already mentioned on the generic security page
> (security.html), but on security-6.html page there is no direct link
> back to security.html unless you pay attention to the site menu on the
> left side.

Go fix it :D

Cheers

Jean-Frederic

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message