Sorry, did not know, new for me. Was just informing the community that the change log has undergone a change. And the new change log is only available with the next release.
We and other sites (eg AH etc) making already for years and years a release available as soon as it had passed the vote as GA., and you should know that. Why now in public this mail after all that years ? Please off list. > Op 2 apr. 2019 om 19:14 heeft William A Rowe Jr <wr...@rowe-clan.net> het > volgende geschreven: > >> On Tue, Apr 2, 2019 at 2:35 AM Steffen <i...@apachelounge.com.invalid> wrote: > >> The ASF HTTPD project did not mention security vulnerabilities fixed in >> the initial changelog 2.4.39. > > To be 100% accurate, the ASF HTTP Server project had not announced the > release of 2.4.39. It had concluded a vote, but only the RM's announcement > triggers the release. There is a delay for the RM to stage the artifacts so > they > can be downloaded by anyone from our entire array of mirror sites. And in > that time, the RM could even pull the release owing to a serious packaging > glitch, if they should need to (this happened not so long ago at httpd.) > > You jumped the gun by pre-announcing your package as a "release", ahead > of the RM's announce and ahead of downloads from the ASF, which is poor > form to say the least. > > Security issues are embargoed until that announcement is broadcast by > the RM to the entire public at once. The project will not mention security > vulnerabilities fixed until that moment. > > This isn't to say you shouldn't assemble your release of version x.y.z based > on the vote candidate; in fact any change to that source package will always > trigger version x.y.z+1, so there is no risk that your build varies from the > final > announced package. Be ahead of the game preparing your binary package, > but defer any publicity until after the actual announcement. > >
