www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Vesse <rve...@dotnetrdf.org>
Subject Re: Release policy exceptions
Date Tue, 15 Sep 2015 16:23:22 GMT

For the specific case of patching vulnerabilities see the Apache Security
team procedure which covers this kind of scenario



On 15/09/2015 16:03, "Dennis E. Hamilton" <orcmid@apache.org> wrote:

>I am a big fan of the draft policy, especially for its clarity and
>I don't like hypotheticals, but two come to mind, and I wonder how
>specific cases can be addressed -- that is, if an exception to policy or
>consultation on how to fit within policy.
>I am thinking of issuance of binary "patches" and of out-of-cycle binary
>distributions to remedy a security vulnerability.
>What is worrisome is that a vulnerability-fixing synchronized source
>release (which certainly should exist somehow) is like a red flag to
>those who search for vulnerabilities to exploit against older releases.
>That also applies during the usual lag to have voluntary downloading and
>use of a patch/update or an out-of-cycle replacement binary (e.g., what
>Apache OpenOffice ships).
>While I don't personally know of a case where this has been an actual
>problem, I recognize it is one of the worries about slip-streaming fixes
>that could also reveal potential ways to exploit all unrepaired versions
>out there.  
>Maybe I have answered my own questions.  Although it is a problem for
>end-user personal productivity software, the open-source projects I am
>aware of rarely "patch" more than two (ASF-style) releases behind.
> - Dennis
>-----Original Message-----
>From: Marvin Humphrey [mailto:marvin@rectangular.com]
>Sent: Monday, September 14, 2015 14:09
>To: legal-discuss@apache.org
>Subject: Re: Finishing release policy codification
>On Wed, Sep 2, 2015 at 5:58 PM, Marvin Humphrey <marvin@rectangular.com>
>> Here's what's proposed (the only change is moving from draft2 to
>> 1. V.P. of Legal Affairs shall assume responsibility for curation of
>>    Apache Release Policy.
>> 2. Publish 
>>    at <http://apache.org/legal/release>.
>> 3. Replace the current Release Policy page at
>>    with a redirect to <http://apache.org/legal/release>.
>> Jim, can you please consider the proposal?
>Hello... Just sending a gentle reminder that this proposal is pending.
>Marvin Humphrey
>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>For additional commands, e-mail: legal-discuss-help@apache.org
>To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>For additional commands, e-mail: legal-discuss-help@apache.org

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message