Security issues diffusion strategy

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Security issues diffusion strategy

Jacques Le Roux
Administrator
Hi,

Maybe you have heard about Equifax and Apache Struts recently.
While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.

There are 2 things projects like HTTPD and Tomcat do:

 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment
 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page.

We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ?

Jacques

Reply | Threaded
Open this post in threaded view
|

Re: Security issues diffusion strategy

Jacques Le Roux
Administrator
Actually, we follow https://www.apache.org/security/committers.html and are right to do.

Since I got no answers I suppose it's a silent consensus and will do 2

Jacques


Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :

> Hi,
>
> Maybe you have heard about Equifax and Apache Struts recently.
> While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.
>
> There are 2 things projects like HTTPD and Tomcat do:
>
> 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment
> 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page.
>
> We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ?
>
> Jacques
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Security issues diffusion strategy

Sharan-F
Hi Jacques

I noted that you sent the original email on a Saturday and not everyone
is available to respond over a weekend so would suggest that you wait at
least another day for any feedback.

Thanks
Sharan

On 18/09/17 09:59, Jacques Le Roux wrote:

> Actually, we follow https://www.apache.org/security/committers.html 
> and are right to do.
>
> Since I got no answers I suppose it's a silent consensus and will do 2
>
> Jacques
>
>
> Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
>> Hi,
>>
>> Maybe you have heard about Equifax and Apache Struts recently.
>> While following the story on the ASF members side I read some emails
>> which made me think about our security issues diffusion strategy.
>>
>> There are 2 things projects like HTTPD and Tomcat do:
>>
>> 1. They amend the commits that fixed the issue by adding a the CVE
>> reference in the comment
>> 2. Tomcat also includes a link/s to the commit/s that fixed the issue
>> on their security page.
>>
>> We already do 1 (at least I found some commits logs amended) but
>> should we not also do 2 at https://ofbiz.apache.org/download.html ?
>>
>> Jacques
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Security issues diffusion strategy

Jacques Le Roux
Administrator
Hi Sharan,

OK, no pb

Jacques


Le 18/09/2017 à 10:15, Sharan Foga a écrit :

> Hi Jacques
>
> I noted that you sent the original email on a Saturday and not everyone is available to respond over a weekend so would suggest that you wait at
> least another day for any feedback.
>
> Thanks
> Sharan
>
> On 18/09/17 09:59, Jacques Le Roux wrote:
>> Actually, we follow https://www.apache.org/security/committers.html and are right to do.
>>
>> Since I got no answers I suppose it's a silent consensus and will do 2
>>
>> Jacques
>>
>>
>> Le 16/09/2017 à 11:50, Jacques Le Roux a écrit :
>>> Hi,
>>>
>>> Maybe you have heard about Equifax and Apache Struts recently.
>>> While following the story on the ASF members side I read some emails which made me think about our security issues diffusion strategy.
>>>
>>> There are 2 things projects like HTTPD and Tomcat do:
>>>
>>> 1. They amend the commits that fixed the issue by adding a the CVE reference in the comment
>>> 2. Tomcat also includes a link/s to the commit/s that fixed the issue on their security page.
>>>
>>> We already do 1 (at least I found some commits logs amended) but should we not also do 2 at https://ofbiz.apache.org/download.html ?
>>>
>>> Jacques
>>>
>>>
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Security issues diffusion strategy

Jacques Le Roux
Administrator
Le 18/09/2017 à 10:45, Jacques Le Roux a écrit :
> includes a link/s to the commit/s that fixed the issue on their security page.
Done at r1810259

Jacques