On Fri, Aug 22, 2014 at 7:46 AM, William A. Rowe Jr. <wr...@rowe-clan.net> wrote:
> On Thu, 21 Aug 2014 15:10:02 -0400 > Jeff Trawick <traw...@gmail.com> wrote: > > > * Place a patch for 2.4.10 in patches/apply_to_ > > * Refer to the 2.4.10 patch after the description of the vulnerability > > within the 2.2.next announcement. > > Rather than maintaining these any longer in dist/, we have > https://svn.apache.org/rREV history (and most security patches > are condensed down to a single patch by the time they hit our > legacy/maintenance branches)... and maintain all pointers out > in the http://httpd.apache.org/security/vulnerabilities_24.html > tables. WDYT? > > > It sounds reasonable, but implications are unclear... In particular, I am concerned that listing occasional patches there, such as in the rare circumstance when 2.2.x releases a fix prior to 2.4.x, almost begs for people who review that to want similar treatment for other vulnerabilities. Not a bad thing, but it will consume more time... -- Born in Roswell... married an alien... http://emptyhammock.com/
