On May 5, 2017 9:28 AM, "Jacob Champion" wrote:
On 05/05/2017 01:34 AM, André Malo wrote:
> Well... It was a split-project back then (in CVS even... :-)). I'm also not
> sure we want all those jar files and stuff in the main repo. Most people
> neither use nor need it.
>
On 05/05/2017 01:32 PM, Jim Jagielski wrote:
+1... Lets do it.
BTW, I would adjust #16 to include:
Add the CVE to the CHANGES file.
That way, it's still documented in CHANGES, just after the release
is spun out, show it shows up in the next release's CHANGES.
Sounds good to me.
--Jacob
+1... Lets do it.
BTW, I would adjust #16 to include:
Add the CVE to the CHANGES file.
That way, it's still documented in CHANGES, just after the release
is spun out, show it shows up in the next release's CHANGES.
> On May 5, 2017, at 8:39 AM, Eric Covener wrote:
>
>
On 05/05/2017 05:39 AM, Eric Covener wrote:
Here is the change that probably has the biggest impact to the community:
"""
...
The project team commits the fix. No reference should be made to the
commit being related to a security vulnerability.
This is the only part that makes me nervous,
[Re-cc'ing docs. Sorry.]
On 05/05/2017 01:34 AM, André Malo wrote:
Well... It was a split-project back then (in CVS even... :-)). I'm
also not
sure we want all those jar files and stuff in the main repo. Most people
neither use nor need it.
I don't mind having the binaries in a separate
On 05/05/2017 01:34 AM, André Malo wrote:
Well... It was a split-project back then (in CVS even... :-)). I'm also not
sure we want all those jar files and stuff in the main repo. Most people
neither use nor need it.
I don't mind having the binaries in a separate place, so much as I mind
(note to security@ folks -- this is a public dev@ thread!)
Hi All. Over the years we have tried different approaches to handling
CVEs, varying based on who did the work, their understanding of the
unwritten procedures, and the severity of the bug. We haven't ever
come to a solid consensus on
* Jacob Champion wrote:
> [crossposting dev@ and docs@]
>
> On 05/04/2017 04:55 PM, jchamp...@apache.org wrote:
> > Author: jchampion
> > Date: Thu May 4 23:55:48 2017
> > New Revision: 1793940
> >
> > URL: http://svn.apache.org/viewvc?rev=1793940=rev
> > Log:
> > override index: add deps and
2017-05-05 7:55 GMT+02:00 Stefan Eissing :
> Looks like almost all our users will need to reconfigure their cipher
> suites, once we ship 2.4.26 and they install OpenSSL 1.1.x:
>
> "If you explicitly configure your ciphersuites then care should be taken
> to ensure