www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Release policy exceptions
Date Tue, 15 Sep 2015 23:57:04 GMT
On Sep 15, 2015 11:24 AM, "Rob Vesse" <rvesse@dotnetrdf.org> wrote:
>
> Dennis
>
> For the specific case of patching vulnerabilities see the Apache Security
> team procedure which covers this kind of scenario
>
> http://www.apache.org/security/committers.html

And please note there is no provision for any release that is not source
code, and there will not be, given our corporate declaration of purpose to
the State of Delaware, US.

We can strive to ensure that binaries exist almost contemporaneously with
the source code release, but sources are what we create, not black boxes.

You can choose not to reveal security implications, but fix the defect
anyways.  You can coordinate with a reporter the delayed notice of the
vulnerability or exploit, if they agree.  But black box binaries are
orthogonal to open source, period.

Mime
View raw message