Sorry, did not know,  new for me. 

Was just informing the community that the change log has undergone a change. 
And the new change log is only available with the next release. 

We and other sites (eg AH etc) making already for years and years a release 
available as soon as it had passed the vote as GA., and you should know that. 
Why now in public this mail after all that years ?

Please off list. 


> Op 2 apr. 2019 om 19:14 heeft William A Rowe Jr <wr...@rowe-clan.net> het 
> volgende geschreven:
> 
>> On Tue, Apr 2, 2019 at 2:35 AM Steffen <i...@apachelounge.com.invalid> wrote:
> 
>> The ASF HTTPD project did not mention security vulnerabilities fixed in 
>> the initial changelog 2.4.39.
> 
> To be 100% accurate, the ASF HTTP Server project had not announced the
> release of 2.4.39. It had concluded a vote, but only the RM's announcement
> triggers the release. There is a delay for the RM to stage the artifacts so 
> they
> can be downloaded by anyone from our entire array of mirror sites. And in
> that time, the RM could even pull the release owing to a serious packaging
> glitch, if they should need to (this happened not so long ago at httpd.)
> 
> You jumped the gun by pre-announcing your package as a "release", ahead 
> of the RM's announce and ahead of downloads from the ASF, which is poor 
> form to say the least. 
> 
> Security issues are embargoed until that announcement is broadcast by 
> the RM to the entire public at once. The project will not mention security 
> vulnerabilities fixed until that moment.
> 
> This isn't to say you shouldn't assemble your release of version x.y.z based
> on the vote candidate; in fact any change to that source package will always
> trigger version x.y.z+1, so there is no risk that your build varies from the 
> final
> announced package. Be ahead of the game preparing your binary package,
> but defer any publicity until after the actual announcement.
> 
> 

Reply via email to