Publish statement on Commons Text CVE
Hello Commons, As you might know Commons Text recently published a CVE. It seems there is a fair bit of confusion about its severity online, so it seems like a good idea to publish a statement around that on the website. I've proposed one at https://github.com/apache/commons-text/pull/374 and I'd like to ask for your review & help publishing. Given the issue is getting some attention it might be nice to publish something soon and maybe refine it later ;). I'll also publish it at https://blogs.apache.org/security . I think what would need to happen is: * review and merge https://github.com/apache/commons-text/pull/374 * check out the commit before the merge commit (since that one still has 1.10.0 as the version in the pom.xml) * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) * push the tag * do a 'mvn site:deploy' Much appreciated! Kind regards, Arnout
Re: Publish statement on Commons Text CVE
I have an unpublished security page in the repo already. Let's not duplicate information like this PR does please. Publishing a non-snapshot site is a pain and I don't want to do more than I have to. There is no need to buy in and promote the FUD on the front page IMO. This component will soon publish a security page and you can PR that page ( https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) if you want to update the details. TY! On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: > Hello Commons, > > As you might know Commons Text recently published a CVE. It seems there is > a fair bit of confusion about its severity online, so it seems like a good > idea to publish a statement around that on the website. > > I've proposed one at https://github.com/apache/commons-text/pull/374 and > I'd like to ask for your review & help publishing. Given the issue is > getting some attention it might be nice to publish something soon and maybe > refine it later ;). I'll also publish it at > https://blogs.apache.org/security . > > I think what would need to happen is: > * review and merge https://github.com/apache/commons-text/pull/374 > * check out the commit before the merge commit (since that one still has > 1.10.0 as the version in the pom.xml) > * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) > * push the tag > * do a 'mvn site:deploy' > > Much appreciated! > > > Kind regards, > > Arnout >
Re: Publish statement on Commons Text CVE
FYI: I updated the security page https://commons.apache.org/proper/commons-text/security.html Gary On Tue, Oct 18, 2022 at 4:25 PM Gary Gregory wrote: > > I have an unpublished security page in the repo already. Let's not duplicate > information like this PR does please. Publishing a non-snapshot site is a > pain and I don't want to do more than I have to. There is no need to buy in > and promote the FUD on the front page IMO. This component will soon publish a > security page and you can PR that page > (https://github.com/apache/commons-text/blob/master/src/site/xdoc/security.xml) > if you want to update the details. > > TY! > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote: >> >> Hello Commons, >> >> As you might know Commons Text recently published a CVE. It seems there is >> a fair bit of confusion about its severity online, so it seems like a good >> idea to publish a statement around that on the website. >> >> I've proposed one at https://github.com/apache/commons-text/pull/374 and >> I'd like to ask for your review & help publishing. Given the issue is >> getting some attention it might be nice to publish something soon and maybe >> refine it later ;). I'll also publish it at >> https://blogs.apache.org/security . >> >> I think what would need to happen is: >> * review and merge https://github.com/apache/commons-text/pull/374 >> * check out the commit before the merge commit (since that one still has >> 1.10.0 as the version in the pom.xml) >> * tag it with something clear, like "commons-text-1.10.0-docs-update"(?) >> * push the tag >> * do a 'mvn site:deploy' >> >> Much appreciated! >> >> >> Kind regards, >> >> Arnout - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
