On 17 Jan 2012, at 7:01 AM, William A. Rowe Jr. wrote: > To further elaborate... > > https://dist.apache.org/repos/dist/release/httpd/patches/ > > * contains nothing to protect adopters of our beta since 2.3.5 > > * contains few of the patches necessary to close issues since 2.2.21
I don't see how any of this has anything to do with this release at all. The patches directory should be used to publish security patches when those security patches are committed, not at some arbitrary future date when a release is made, and it seems that this hasn't been done. Fixing this to me seems trivial, go through the CHANGES file, identify the entries marked SECURITY, and upload each patch to the patches directory to catch up. Shouldn't take long to do at all. Then, add a message to the top of the CHANGES file explaining to future committers that security patches should be sorted at the top, and committed to https://dist.apache.org/repos/dist/release/httpd/patches/, so that contributors to this project actually know this is expected, and end users know where to look. Regards, Graham --
smime.p7s
Description: S/MIME cryptographic signature
