> -----Original Message----- > From: Xeno Amess > Sent: Monday, January 3, 2022 10:40 AM > > +0 > > I just worried several things. > > 1. Will it make the cve's fix come out more slowly? > A vote means waiting for 72 hours usually. > > 2. Do all PMC who enter the vote always have enough ability and knowledge > for notifying how severe a vulnerability? Some vulnerabilities are, seems > small problem, nothing at all, but would actually do very much damage.
1. see: https://www.apache.org/foundation/voting.html 2. it does not have to be 72 hours. 3. Use CONSENSUS THROUGH SILENCE. e.g. Subject: Vote on apply CVE of 8.3 (v3 score) to release x.y.z [18 hours, silence=approve] SUMMARY... blah blah blah [] +1, Create CVE and accept tag release [] -1, DO NOT create CVE and address release at another time / vote The vote will remain open for 18 hours (short security timeline). All votes are welcome and we encourage everyone to participate, but only Logging PMC votes are “officially” counted. As always, at least 3 +1 votes and more positive than negative votes are required. LACK OF NEGATIVE VOTES will be assume as a consensus. -Jason
