I handled two security fixes in the recent set of patch releases. It was
the first time I had done it and the procedures were rather less than
push-of-a-button simple to follow.
1. We should move as much as possible of the scripts and documentation
that exists in a private repo, into a public place.
2. We should discuss and review such procedures in public (here).
The Subversion PMC discussed and agreed the above on its private mailing
list, recently. IIRC, all 'full committers' as listed in the
'COMMITTERS' file are PMC members and so have access to that discussion
and the 'security' repo if they want to help deal with this.
I'll follow up with some specific issues some time later. This email is
just to get the ball rolling so that anybody willing to do anything in
this direction can see they have a green light to do so.
- Julian
