couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Samuel Newson <rnew...@apache.org>
Subject [PROPOSAL] Future security announcement policy
Date Fri, 22 May 2020 11:38:01 GMT
Hi All,

We've just published a CVE and it made me think about our current announcement policy.

Currently, when we receive notice of a security issue, the PMC investigate it, fix it if it's
genuine, then we prepare and publish a release without mentioning the security issue. A week
after publication we publish the CVE.

I think we can do better. I follow haproxy and openssl announcements for security reasons
and have found their early warning very helpful. I wonder if we can do something similar?

My proposal is modest. Everything stays the same as today except we announce that there is
a security fix in the release _at the time we publish it_. The details are withheld for the
regular 7 day period.

Are there objections to that step? Should we do more? Would it useful to categorise the security
issue (low, medium, high. whether it is present in the default config. whether it can be mitigated
without taking the upgrade)?

B.


Mime
View raw message