couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark J Cox <...@apache.org>
Subject Re: [PROPOSAL] Future security announcement policy
Date Fri, 22 May 2020 17:27:32 GMT
On Fri, May 22, 2020 at 6:15 PM Joan Touzet <wohali@apache.org> wrote:

> I'm curious what the Apache Security team's opinion is on this (they are
> cc'ed on every email to security@couchdb.apache.org)


The policy that OpenSSL has works because OpenSSL doesn't release the
update at the time of that prenotification and usually the fix for the
issue isn't in the repo; instead it's handled in private with the final
commits and tarball going live around the same time as the advisory is
published (all within an hour or so anyway).  As stated in the thread, if
you notify your users there is a security issue (or worse if you tell them
it's a 'critical' one)  in a tarball you've already released then you'll
end up with people looking through the commits to find it so they can
publish it or exploit it and then it creates a disclosure mess which we
would not recommend.

Regards, Mark

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message