Hi, On Thu, Apr 5, 2012 at 7:27 PM, Apache Wiki <wikidi...@apache.org> wrote: > OpenOffice > > Out-of-Band Report
Thanks the explicit report about this! > The IPMC and Board should note that this extraordinary patch was made > available, as a courtesy to the ecosystem, based on the severity of the > reported > vulnerability and the ease of exploiting it. The patch was made available > under > ALv2, and distribution was done via the Apache mirrors, although this did > not constitute an official release. This is pretty gray territory. Normally neither a podling nor a TLP should ever publish binaries for distribution without all the relevant source code and without going through the standard voting procedure. > Because of the required secrecy around the preparation of such security > patches, > a minimum number of Apache members were involved in vetting this release, > though > we did try to touch all bases by involving mentors, Infra and Legal Affairs. I'm inclined to trust the judgement of people involved here. It should be noted though that even though the /dist/incubator/ooo space was used to distribute these patches, they were and are not officially blessed by the Incubator PMC on behalf of the ASF. Should a similar case arise in the future, I'd prefer if a clearly separate area under /dist or some other place was used to prevent confusing these with official Apache releases. BR, Jukka Zitting --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
