On 10/13/2011 07:26 AM, Konstantin Kolinko wrote:
Hi!
Re-reading the security pages I have several notes
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
1) security-6.html and others have the following text:
"Please send comments or corrections for these vulnerabilities to the
Tomcat Security Team."
with a link to security@ address in it.
I think it is wrong. General comments and questions should be sent to
dev@ or users@. Only exploits are for security@.
I am not yet sure how to better write it. Maybe with a link to
security.html or lists.html
I think the idea was to avoid a security comment like "in fact the fix
is wrong" going to a public list.
2) I would like to mention that we do not provide binary patches.
I think direct links to the following pages will help some people:
http://tomcat.apache.org/tomcat-7.0-doc/building.html
http://tomcat.apache.org/tomcat-7.0-doc/BUILDING.txt
The links will be different for different Tomcat versions.
+1 that should prevent people ask for a binary just after a fix.
3) The above issues are already mentioned on the generic security page
(security.html), but on security-6.html page there is no direct link
back to security.html unless you pay attention to the site menu on the
left side.
Go fix it :D
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
