Le 10/01/2014 14:38, Jeff Trawick a écrit :
[ ] It is an accepted practice (but not required) to obscure or omit
the vulnerability impact in CHANGES or commit log information when
committing fixes for vulnerabilities to any branch.
[X] It is mandatory to provide best available description and any
available tracking information when committing fixes for
vulnerabilities to any branch, delaying committing of the fix if the
information shouldn't be provided yet.
[ ] _______________ (fill in the blank)
---/---
Could be also interesting to be able to deliver quick fix.
For example, 2.4.7 is the latest stable version. 2.4.8 has things
back-ported from trunk little by little and should be T&R "one day" (in
feb ?).
Should an important vulnerability be found, then releasing:
- a 2.4.7.1 or
- 2.4.7 SP1 or
- 2.4.8 and delaying everything already accepted in backport for a
later 2.4.9 or
- whatever else
with *only fixes* for this issue, could be interesting.
Doing so would avoid time for T&R and avoid releasing something in a hurry.
Best regards,
CJ