On 13/10/2011 09:03, jean-frederic clere wrote: > On 10/13/2011 07:26 AM, Konstantin Kolinko wrote: >> Hi! >> >> Re-reading the security pages I have several notes >> >> http://tomcat.apache.org/security-6.html >> http://tomcat.apache.org/security-7.html >> >> 1) security-6.html and others have the following text: >> >> "Please send comments or corrections for these vulnerabilities to the >> Tomcat Security Team." >> >> with a link to security@ address in it. >> >> I think it is wrong. General comments and questions should be sent to >> dev@ or users@. Only exploits are for security@. >> >> I am not yet sure how to better write it. Maybe with a link to >> security.html or lists.html > > I think the idea was to avoid a security comment like "in fact the fix > is wrong" going to a public list.
Yep. Changing the text to "corrections to security@, questions to users@" could be the way to go. >> 2) I would like to mention that we do not provide binary patches. >> >> I think direct links to the following pages will help some people: >> >> http://tomcat.apache.org/tomcat-7.0-doc/building.html >> http://tomcat.apache.org/tomcat-7.0-doc/BUILDING.txt >> >> The links will be different for different Tomcat versions. > > +1 that should prevent people ask for a binary just after a fix. huge +1. I am getting really fed up of the requests for 6.0.34. >> 3) The above issues are already mentioned on the generic security page >> (security.html), but on security-6.html page there is no direct link >> back to security.html unless you pay attention to the site menu on the >> left side. > > Go fix it :D +1. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
