www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <orc...@apache.org>
Subject Release policy exceptions
Date Tue, 15 Sep 2015 15:03:21 GMT
I am a big fan of the draft policy, especially for its clarity and definiteness.

I don't like hypotheticals, but two come to mind, and I wonder how specific cases can be addressed
-- that is, if an exception to policy or consultation on how to fit within policy.

I am thinking of issuance of binary "patches" and of out-of-cycle binary distributions to
remedy a security vulnerability.  

What is worrisome is that a vulnerability-fixing synchronized source release (which certainly
should exist somehow) is like a red flag to those who search for vulnerabilities to exploit
against older releases.  That also applies during the usual lag to have voluntary downloading
and use of a patch/update or an out-of-cycle replacement binary (e.g., what Apache OpenOffice
ships).

While I don't personally know of a case where this has been an actual problem, I recognize
it is one of the worries about slip-streaming fixes that could also reveal potential ways
to exploit all unrepaired versions out there.  

Maybe I have answered my own questions.  Although it is a problem for end-user personal productivity
software, the open-source projects I am aware of rarely "patch" more than two (ASF-style)
releases behind.

 - Dennis



-----Original Message-----
From: Marvin Humphrey [mailto:marvin@rectangular.com] 
Sent: Monday, September 14, 2015 14:09
To: legal-discuss@apache.org
Subject: Re: Finishing release policy codification

On Wed, Sep 2, 2015 at 5:58 PM, Marvin Humphrey <marvin@rectangular.com> wrote:

> Here's what's proposed (the only change is moving from draft2 to draft3).
>
> 1. V.P. of Legal Affairs shall assume responsibility for curation of
>    Apache Release Policy.
> 2. Publish <https://github.com/rectang/asfrelease/blob/draft3/release.md>
>    at <http://apache.org/legal/release>.
> 3. Replace the current Release Policy page at <http://apache.org/dev/release>
>    with a redirect to <http://apache.org/legal/release>.
>
> Jim, can you please consider the proposal?

Hello... Just sending a gentle reminder that this proposal is pending.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message