From dev-return-49381-archive-asf-public=cust-asf.ponee.io@couchdb.apache.org Fri May 22 11:38:04 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 47EF8180669 for ; Fri, 22 May 2020 13:38:04 +0200 (CEST) Received: (qmail 41799 invoked by uid 500); 22 May 2020 11:38:03 -0000 Mailing-List: contact dev-help@couchdb.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@couchdb.apache.org Delivered-To: mailing list dev@couchdb.apache.org Received: (qmail 41775 invoked by uid 99); 22 May 2020 11:38:03 -0000 Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.42) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 May 2020 11:38:03 +0000 Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id D573A2E54; Fri, 22 May 2020 11:38:02 +0000 (UTC) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailauth.nyi.internal (Postfix) with ESMTP id 982D027C0054; Fri, 22 May 2020 07:38:02 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Fri, 22 May 2020 07:38:02 -0400 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddufedggedvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhtgfgggfukfffvffosehtqhhmtd hhtddvnecuhfhrohhmpeftohgsvghrthcuufgrmhhuvghlucfpvgifshhonhcuoehrnhgv fihsohhnsegrphgrtghhvgdrohhrgheqnecuggftrfgrthhtvghrnheplefgueelieelhf fhveeggfeludejfeehhfetkeetveegudeffeejkeethedvtefhnecukfhppeekledrvdef kedrudehgedrvdefjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpehrnhgvfihsohhnodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithih qdelfeegvddtvdejvddqudduleegjedtjeejqdhrnhgvfihsohhnpeeprghprggthhgvrd horhhgsehfrghsthhmrghilhdrfhhm X-ME-Proxy: Received: from [10.200.250.207] (unknown [89.238.154.237]) by mail.messagingengine.com (Postfix) with ESMTPA id 1A0EF328005D; Fri, 22 May 2020 07:38:02 -0400 (EDT) From: Robert Samuel Newson Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: [PROPOSAL] Future security announcement policy Message-Id: Date: Fri, 22 May 2020 12:38:01 +0100 Cc: security@couchdb.apache.org To: dev@couchdb.apache.org X-Mailer: Apple Mail (2.3608.80.23.2.2) Hi All, We've just published a CVE and it made me think about our current = announcement policy. Currently, when we receive notice of a security issue, the PMC = investigate it, fix it if it's genuine, then we prepare and publish a = release without mentioning the security issue. A week after publication = we publish the CVE. I think we can do better. I follow haproxy and openssl announcements for = security reasons and have found their early warning very helpful. I = wonder if we can do something similar? My proposal is modest. Everything stays the same as today except we = announce that there is a security fix in the release _at the time we = publish it_. The details are withheld for the regular 7 day period. Are there objections to that step? Should we do more? Would it useful to = categorise the security issue (low, medium, high. whether it is present = in the default config. whether it can be mitigated without taking the = upgrade)? B.