Hi Joe, Good questions. On Feb 13, 2009, at 3:13 PM, Joe Bohn wrote:
I have a few practical questions: 1) Must all affected releases be released before we can announce?
IMO, no. But I think users must have a reasonable upgrade path to receive the fix. A 2.0.x user could be reasonably expected to upgrade to 2.1.x to receive the fix. However, I couldn't reasonably expect a 2.1.x user to downgrade to 2.0.x to receive a fix. I believe that Tomcat will sometimes delayed releases with security fixes on their older releases.
2) How long is considered too long between the check-in of code for any release (which will likely divulge the vulnerability) and the delivery of a release (or releases) which must precede the announce in the steps above? It would seem that with this proposal the time- period is unbounded.
It is unbounded. I'd set a target of 36 hours.
3) Is it acceptable that the release notes will not include any reference of the security vulnerabilities which are resolved?
IMO, yes.
4) Is it alright to update the commit log in a tag after a release has been created?
IMO, yes. --kevan
