mrglavas commented on PR #8: URL: https://github.com/apache/xerces-j/pull/8#issuecomment-2737435938
> Seems like a good idea. Practically what happens once a report is submitted to [[email protected]](mailto:[email protected])? Who is contacted? Who will deal with it? > > Currently Xerces has one very occasional committer/maintainer, and there doesn't seem to be any effort or will to expand that pool. Does Apache have a process in place to emergency push a release when the project's maintainers are unavailable or non-existent? Valid security issues when they've been reported against Xerces-J have been addressed. We've been responsive to `[email protected]` when an action is requi > Seems like a good idea. Practically what happens once a report is submitted to [[email protected]](mailto:[email protected])? Who is contacted? Who will deal with it? > > Currently Xerces has one very occasional committer/maintainer, and there doesn't seem to be any effort or will to expand that pool. This has always been a challenge. I think we have a very niche set of skills and that can be a bit of a barrier to someone less experienced. I'm +1 to just about anyone who is serious about contributing and becoming a committer / PMC member, but have found in the past when folks want something (specifically thinking about all those requests from the community about Xerces and Maven) and are asked to volunteer they don't step up. > Does Apache have a process in place to emergency push a release when the project's maintainers are unavailable or non-existent? We've responded to valid security issues. I recall fixing the most recent one in the scanner and that was released in Xerces-J 2.12.2. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
