Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EC267988A for ; Thu, 13 Oct 2011 08:04:25 +0000 (UTC) Received: (qmail 33239 invoked by uid 500); 13 Oct 2011 08:04:25 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 32745 invoked by uid 500); 13 Oct 2011 08:04:24 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 32728 invoked by uid 99); 13 Oct 2011 08:04:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Oct 2011 08:04:22 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jfclere@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-ww0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Oct 2011 08:04:14 +0000 Received: by wwf27 with SMTP id 27so1242486wwf.0 for ; Thu, 13 Oct 2011 01:03:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=EpnuuJU9WCA1NqEZEm0xoJH/LajfbS/uFAcyVciXV0Y=; b=wRDDrx5dDCXu6QPKOyLD/NhMblh0C1EqB7v19F3aTTQ6Jrtb19kCPHgWBuZcOapG+O C+5BvKOP+F1h+2gB+k2AXiz5xqtGW1zJbAhe/PETKw60jxPtpLtfLiryDPCCC52z4pX8 7L5NGAWVRKjIhO/g9esUjXpQlAkWnOV0ge4WU= Received: by 10.227.173.3 with SMTP id n3mr911330wbz.1.1318493032878; Thu, 13 Oct 2011 01:03:52 -0700 (PDT) Received: from [192.168.1.34] (132.Red-79-148-52.dynamicIP.rima-tde.net. [79.148.52.132]) by mx.google.com with ESMTPS id z9sm4463402wbn.19.2011.10.13.01.03.51 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 13 Oct 2011 01:03:51 -0700 (PDT) Message-ID: <4E969B65.5070700@gmail.com> Date: Thu, 13 Oct 2011 10:03:49 +0200 From: jean-frederic clere User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0) Gecko/20110927 Thunderbird/7.0 MIME-Version: 1.0 To: dev@tomcat.apache.org Subject: Re: Mail address in security-NN.html pages References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 10/13/2011 07:26 AM, Konstantin Kolinko wrote: > Hi! > > Re-reading the security pages I have several notes > > http://tomcat.apache.org/security-6.html > http://tomcat.apache.org/security-7.html > > 1) security-6.html and others have the following text: > > "Please send comments or corrections for these vulnerabilities to the > Tomcat Security Team." > > with a link to security@ address in it. > > I think it is wrong. General comments and questions should be sent to > dev@ or users@. Only exploits are for security@. > > I am not yet sure how to better write it. Maybe with a link to > security.html or lists.html I think the idea was to avoid a security comment like "in fact the fix is wrong" going to a public list. > > > 2) I would like to mention that we do not provide binary patches. > > I think direct links to the following pages will help some people: > > http://tomcat.apache.org/tomcat-7.0-doc/building.html > http://tomcat.apache.org/tomcat-7.0-doc/BUILDING.txt > > The links will be different for different Tomcat versions. +1 that should prevent people ask for a binary just after a fix. > > > 3) The above issues are already mentioned on the generic security page > (security.html), but on security-6.html page there is no direct link > back to security.html unless you pay attention to the site menu on the > left side. Go fix it :D Cheers Jean-Frederic --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org