Reindl, I question whether I should bother rewarding your bad behavior and again ask.you if you find your negative attitude gets you where you want to be in life? But for others, here are the facts and the policy.
"we see that you mentioned these CVE names public at https://lists.apache.org/thread.html/a3dc4c9d2a942d550e834df8f423eedeb042fdb69f4a83df26f1446b@%3Cdev.spamassassin.apache.org%3E Once names are mentioned in public it starts a clock and we usually have 24 hours to send the information to Mitre, see process at https://apache.org/security/committers.html"; That was 4 days ago and we worked the process with ethical disclosures and attention to good security hygiene. Spend your energy elsewhere as I dnftec. On Sun, Sep 16, 2018, 22:26 Reindl Harald <h.rei...@thelounge.net> wrote: > > > Am 17.09.18 um 02:44 schrieb Kevin A. McGrail: > > Thanks for the post. The bug is way out of line though. > > > > We posted release candidate 1 on the 12th noting the 4 CVE issues > > coming. I also backchanneled with RH as a heads up. We do have a > brain... > > no you don't or why is the httpd project capable to bring CVE details a > few days *after* release anncouncement (besides that they manage > regulary releases at all) > > what you do with that way of announcemnt is trigger pressure for no good > reason >
