Hi, On Tue, Jan 13, 2009 at 6:02 PM, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote: > We pass around patches at secur...@httpd until they are right. Less > efficient than SVN, perhaps.
More than the actual fixing of the vulnerability, I'm interested in the process of releasing the fix. Creating a release without version control is something I'd rather avoid. Current Apache practices mandate at least four days of delay between a release candidate becoming available and the official release announcement being made. I believe the current best practice either assumes that nobody is looking close enough for the vulnerabilities or that the window of a few days is not long enough to cause much trouble. I guess that's OK. However, if that's the case, should I worry about setting up read access controls in Jira? I mean, if I'm going to commit the fix to public svn, then I might as well track the issue in a public issue tracker. The issue could be created only when a patch or a workaround has been developed in private. > We are eliminating private areas from /repos/asf/ due to the desire > to mirror and otherwise duplicate the repository as a whole. > > Which leaves your project's existing private area already at > /repos/private/pmc/TLP --- but of course you don't gain the ability > to fork because they aren't rooted from the same repository. Perhaps I should use git to manage security fixes. /me ducks ;-) BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org