+-0 I have no strong opinion. I do believe that an informal consensus about our best practice should be all we need. It should suffice when two pmc members acknowledge both fix and official communication. My perception is that we already do our best. Beyond that, it will always be a walk on the edge to satisfy all and any potential criteria (response time, quality of the fix, quality of the communication, quality of the mitigation procedures, ..). We may have to accept that these criteria will never be exactly the same and have the same weight for all security issues.
-- Sent from my phone. Typos are a kind gift to anyone who happens to find them. On Mon, Jan 3, 2022, 16:54 Jason Pyeron <[email protected]> wrote: > > -----Original Message----- > > From: Xeno Amess > > Sent: Monday, January 3, 2022 10:40 AM > > > > +0 > > > > I just worried several things. > > > > 1. Will it make the cve's fix come out more slowly? > > A vote means waiting for 72 hours usually. > > > > 2. Do all PMC who enter the vote always have enough ability and knowledge > > for notifying how severe a vulnerability? Some vulnerabilities are, seems > > small problem, nothing at all, but would actually do very much damage. > > > 1. see: https://www.apache.org/foundation/voting.html > > 2. it does not have to be 72 hours. > > 3. Use CONSENSUS THROUGH SILENCE. > > e.g. > > Subject: Vote on apply CVE of 8.3 (v3 score) to release x.y.z [18 hours, > silence=approve] > > SUMMARY... blah blah blah > > [] +1, Create CVE and accept tag release > [] -1, DO NOT create CVE and address release at another time / vote > > The vote will remain open for 18 hours (short security timeline). All > votes are welcome and we encourage everyone to participate, but only > Logging PMC votes are “officially” counted. As always, at least 3 +1 > votes and more positive than negative votes are required. > > LACK OF NEGATIVE VOTES will be assume as a consensus. > > -Jason > >
