Jukka Zitting wrote: > > More than the actual fixing of the vulnerability, I'm interested in > the process of releasing the fix. Creating a release without version > control is something I'd rather avoid.
Ok, to clarify, we commit immediately before the tag is rolled, and we usually expedite those release votes, so perhaps 36 hours elapses before the world is pointed at a new release. You have to let the actual severity, scope and impact on the user community dictate the 'one best way' to handle a particular incident. Sometimes the commit message cites the bug, but calls out nothing about it's potential for abuse. Yes, clever people could come up with something. But their 'discovery' based on the fix usually pales in comparison to the original discovery and we acknowledge the first reporter (sometimes second or third, if independently uncovered) in the release announcement. So security researchers remain busy studying 'unknown' issues to enhance their karma/fame/ fortune etc. Bill --------------------------------------------------------------------- To unsubscribe, e-mail: community-unsubscr...@apache.org For additional commands, e-mail: community-h...@apache.org