www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Vesse <rve...@dotnetrdf.org>
Subject Re: Release policy exceptions
Date Tue, 15 Sep 2015 16:23:22 GMT
Dennis

For the specific case of patching vulnerabilities see the Apache Security
team procedure which covers this kind of scenario

http://www.apache.org/security/committers.html

Rob


On 15/09/2015 16:03, "Dennis E. Hamilton" <orcmid@apache.org> wrote:

>I am a big fan of the draft policy, especially for its clarity and
>definiteness.
>
>I don't like hypotheticals, but two come to mind, and I wonder how
>specific cases can be addressed -- that is, if an exception to policy or
>consultation on how to fit within policy.
>
>I am thinking of issuance of binary "patches" and of out-of-cycle binary
>distributions to remedy a security vulnerability.
>
>What is worrisome is that a vulnerability-fixing synchronized source
>release (which certainly should exist somehow) is like a red flag to
>those who search for vulnerabilities to exploit against older releases.
>That also applies during the usual lag to have voluntary downloading and
>use of a patch/update or an out-of-cycle replacement binary (e.g., what
>Apache OpenOffice ships).
>
>While I don't personally know of a case where this has been an actual
>problem, I recognize it is one of the worries about slip-streaming fixes
>that could also reveal potential ways to exploit all unrepaired versions
>out there.  
>
>Maybe I have answered my own questions.  Although it is a problem for
>end-user personal productivity software, the open-source projects I am
>aware of rarely "patch" more than two (ASF-style) releases behind.
>
> - Dennis
>
>
>
>-----Original Message-----
>From: Marvin Humphrey [mailto:marvin@rectangular.com]
>Sent: Monday, September 14, 2015 14:09
>To: legal-discuss@apache.org
>Subject: Re: Finishing release policy codification
>
>On Wed, Sep 2, 2015 at 5:58 PM, Marvin Humphrey <marvin@rectangular.com>
>wrote:
>
>> Here's what's proposed (the only change is moving from draft2 to
>>draft3).
>>
>> 1. V.P. of Legal Affairs shall assume responsibility for curation of
>>    Apache Release Policy.
>> 2. Publish 
>><https://github.com/rectang/asfrelease/blob/draft3/release.md>
>>    at <http://apache.org/legal/release>.
>> 3. Replace the current Release Policy page at
>><http://apache.org/dev/release>
>>    with a redirect to <http://apache.org/legal/release>.
>>
>> Jim, can you please consider the proposal?
>
>Hello... Just sending a gentle reminder that this proposal is pending.
>
>Marvin Humphrey
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>For additional commands, e-mail: legal-discuss-help@apache.org
>





---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message