Jukka Zitting wrote: > > The process at .../security/ answers parts of that question, but I > find some steps like the suggestion to obscure the commit that fixes a > vulnerability a bit awkward. One idea I came up with is to have a > read-protected area in svn where (only?) security fixes can be > developed and prepared for release.
We pass around patches at secur...@httpd until they are right. Less efficient than SVN, perhaps. We are eliminating private areas from /repos/asf/ due to the desire to mirror and otherwise duplicate the repository as a whole. Which leaves your project's existing private area already at /repos/private/pmc/TLP --- but of course you don't gain the ability to fork because they aren't rooted from the same repository. So for most issues, passing around small patches "just works". Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
