On Tue, Apr 2, 2019 at 2:35 AM Steffen <i...@apachelounge.com.invalid> wrote:
> The ASF HTTPD project did not mention security vulnerabilities fixed in > the initial changelog 2.4.39. To be 100% accurate, the ASF HTTP Server project had not announced the release of 2.4.39. It had concluded a vote, but only the RM's announcement triggers the release. There is a delay for the RM to stage the artifacts so they can be downloaded by anyone from our entire array of mirror sites. And in that time, the RM could even pull the release owing to a serious packaging glitch, if they should need to (this happened not so long ago at httpd.) You jumped the gun by pre-announcing your package as a "release", ahead of the RM's announce and ahead of downloads from the ASF, which is poor form to say the least. Security issues are embargoed until that announcement is broadcast by the RM to the entire public at once. The project will not mention security vulnerabilities fixed until that moment. This isn't to say you shouldn't assemble your release of version x.y.z based on the vote candidate; in fact any change to that source package will always trigger version x.y.z+1, so there is no risk that your build varies from the final announced package. Be ahead of the game preparing your binary package, but defer any publicity until after the actual announcement.
