I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page ( https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details.
TY! On Tue, Oct 18, 2022, 09:52 Arnout Engelen <enge...@apache.org> wrote: > Hello Commons, > > As you might know Commons Text recently published a CVE. It seems there is > a fair bit of confusion about its severity online, so it seems like a good > idea to publish a statement around that on the website. > > I've proposed one at https://github.com/apache/commons-text/pull/374 and > I'd like to ask for your review & help publishing. Given the issue is > getting some attention it might be nice to publish something soon and maybe > refine it later ;). I'll also publish it at > https://blogs.apache.org/security . > > I think what would need to happen is: > * review and merge https://github.com/apache/commons-text/pull/374 > * check out the commit before the merge commit (since that one still has > 1.10.0 as the version in the pom.xml) > * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > * push the tag > * do a 'mvn site:deploy' > > Much appreciated! > > > Kind regards, > > Arnout >
