++1. I was never quite happy with this process, but it seemed like there was a
lot of support for this kind of treatment.
> On Aug 17, 2020, at 7:08 AM, Joe Orton wrote:
>
>
> This roughly reverts the httpd process to what we used prior to adopting
> the Tomcat-esque policy for the whole
Wait isn't Mark Cox the guy currently under investigation by MI5 for
something something hacking on behalf of the Ministry of State Security for
the PRC? Something to do with subverting encryption globally.
That's partially why Huawei donated so much to OpenSSL, they get the 0 days
seven days in
> > This roughly reverts the httpd process to what we used prior to adopting
> > the Tomcat-esque policy for the whole ASF. We would have to document
> > this and possibly need it approved by the ASF security team.
>
> Not sure if we need to have it approved, but at least we should discuss
> This roughly reverts the httpd process to what we used prior to adopting
> the Tomcat-esque policy for the whole ASF. We would have to document
> this and possibly need it approved by the ASF security team.
+1
On Mon, Aug 17, 2020 at 02:07:33PM +0200, Ruediger Pluem wrote:
> On 11/21/19 4:51 PM, jor...@apache.org wrote:
> > Author: jorton
> > Date: Thu Nov 21 15:51:32 2019
> > New Revision: 1870095
> >
> > URL: http://svn.apache.org/viewvc?rev=1870095=rev
...
> > @@ -1132,6 +1144,17 @@ static int
On 11/21/19 4:51 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Thu Nov 21 15:51:32 2019
> New Revision: 1870095
>
> URL: http://svn.apache.org/viewvc?rev=1870095=rev
> Log:
> Buffer HTTP request bodies for TLSv1.3 PHA in the same way as for
> TLSv<1.3 renegotiation.
>
> *
On 8/17/20 1:08 PM, Joe Orton wrote:
> At the moment we follow the standard ASF process for handling security
> vulnerabilities, https://www.apache.org/security/committers.html
>
> This includes the following step where fixes are committed with
> "obscured" commit messages prior to release:
At the moment we follow the standard ASF process for handling security
vulnerabilities, https://www.apache.org/security/committers.html
This includes the following step where fixes are committed with
"obscured" commit messages prior to release:
"12. The project team commits the fix. No
On 7/24/20 5:40 PM, jor...@apache.org wrote:
> Author: jorton
> Date: Fri Jul 24 15:40:16 2020
> New Revision: 40676
>
> Log:
> Add new key, remove old key.
>
> Modified:
> release/httpd/KEYS
>
Given that Joe needs to authenticate for committing and Subversion is encrypted
does anybody