Many thanks Fabian and sorry for the delay - unfortunately I'm not really able to free up as much time as necessary for any OSS stuff right now
On 2021-05-03, Fabian Meumertzheim wrote: > The behavior you are observing has only become the standard somewhat > recently [1], which is also why I had decided to point it out before we > performed the integration [2]. > [1] https://github.com/google/oss-fuzz/issues/5255 I must have overlooked that back then - or just didn't understand what it meant. One key is the phrase "after a patch is released" which also is used in [1] which means a completely different thing to ASF communities than to the person opening the issue above. Nobody around here would argue against disclosing details of a vulnerability after a new release containing the fix is available. The best we can do probably is pointing out that the new policy is incompatible with the ASF security policy - point 14 in https://www.apache.org/security/committers.html#vulnerability-handling without trying to argue who is right. Going from there we will see whether there is an option for ASF projects to continue using OSS Fuzz or not. Unfortunately I believe this discussion must be driven by somebody with a predictable and sufficiently large slice of time for this, which I will not be for at least the next week, likely longer. Unless anybody else jumps in I'll take it on myself once I believe to be available. Fortunately so far no issues have shown up that would force ou hand - and even if something came up I'm sure we could figure out some sort of singular exemption. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
