Security issues diffusion strategy

> Hi,
>
> Maybe you have heard about Equifax and Apache Struts recently.
> While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.
>
> There are 2 things projects like HTTPD and Tomcat do:
>
> 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment
> 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page.
>
> We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ?
>
> Jacques
>
>

> Actually, we follow https://www.apache.org/security/committers.html 
> and are right to do.
>
> Since I got no answers I suppose it's a silent consensus and will do 2
>
> Jacques
>
>
> Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
>> Hi,
>>
>> Maybe you have heard about Equifax and Apache Struts recently.
>> While following the story on the ASF members side I read some emails
>> which made me think about our security issues diffusion strategy.
>>
>> There are 2 things projects like HTTPD and Tomcat do:
>>
>> 1. They amend the commits that fixed the issue by adding a the CVE
>> reference in the comment
>> 2. Tomcat also includes a link/s to the commit/s that fixed the issue
>> on their security page.
>>
>> We already do 1 (at least I found some commits logs amended) but
>> should we not also do 2 at https://ofbiz.apache.org/download.html ?
>>
>> Jacques
>>
>>
>

> Hi Jacques
>
> I noted that you sent the original email on a Saturday and not everyone is available to respond over a weekend so would suggest that you wait at
> least another day for any feedback.
>
> Thanks
> Sharan
>
> On 18/09/17 09:59, Jacques Le Roux wrote:
>> Actually, we follow https://www.apache.org/security/committers.html and are right to do.
>>
>> Since I got no answers I suppose it's a silent consensus and will do 2
>>
>> Jacques
>>
>>
>> Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
>>> Hi,
>>>
>>> Maybe you have heard about Equifax and Apache Struts recently.
>>> While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.
>>>
>>> There are 2 things projects like HTTPD and Tomcat do:
>>>
>>> 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment
>>> 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page.
>>>
>>> We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ?
>>>
>>> Jacques
>>>
>>>
>>
>
>