I agree Jacopo, Will you handle it?
I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in a discussion I read on security-disc...@community.apache.org : MT: <<We need to consider whether projects that are not releasing regularly really are healthy. Could they realistically respond to a security vulnerability in a reasonable time frame? If not, we need to move them to the attic.>> MC: <<And we need a clear way to communicate that, and EOL releases, to users so they know the status of what they're using. There are quite a number of examples where a project has responded to a vulnerability reporter that some version is EOL but it's not been clear enough on their pages, nor any real announcement ever having being made. We need a consistent policy on what to do about vulnerabilities that come up in EOL versions, and when to allocate them CVE names ('there's an unfixed issue in X") in order to help users with scanning tools also notice when they're using out of date and now insecure projects.>> There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF. I don't think we are concerned by those worries. So was just a small effort in this direction. I think though that we should discuss about how to handle EOL announcements. * https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1 Jacques Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
Thank you Jacques for adding the statement: however I think it is > time to remove the entire section of 17.12.08 since we have enough > releases out of 18.12 already. The release 17.12.08 will always be >
available in the archive. > > Jacopo