Here it is: https://github.com/apache/logging-log4j2/pull/690
Mind somebody reviewing and merging it, please?
On Fri, Jan 7, 2022 at 1:35 PM Gary Gregory wrote:
> Hi all,
>
> Where can we record this decision? In a text file in the repo? Wiki? Both?
>
> Gary
>
> On Fri, Jan 7, 2022, 05:22 Volka
Hi all,
Where can we record this decision? In a text file in the repo? Wiki? Both?
Gary
On Fri, Jan 7, 2022, 05:22 Volkan Yazıcı wrote:
> Hello,
>
> This is the result of the vote introducing the process that enforces
> CVE submissions[1] and their content to be first subject to voting by
> me
Hello,
This is the result of the vote introducing the process that enforces
CVE submissions[1] and their content to be first subject to voting by
means of "lazy approval"[2] using the (private)
`secur...@logging.apache.org` mailing list:
6x +1 (accepting the process), all binding
2x +0 (abstainin
+1 (with lazy approval)
On Mon, Jan 3, 2022 at 12:59 PM Volkan Yazıcı wrote:
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` maili
+1 for going with lazy approval CVE process.
--
Matt Sicker
> On Jan 3, 2022, at 05:59, Volkan Yazıcı wrote:
>
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private)
+1, as this only affects the creation of cves but does not block the fixing
going on immediately.
I think we do not require majority though, just waiting if someone objects is
fine for me
On Mon, Jan 3, 2022, at 12:59, Volkan Yazıcı wrote:
> Hello,
>
> As discussed earlier[1], this is a vote to
Lazy approval is the technical term for the voting style you’re describing.
Lazy consensus is how committers and PMC members are voted on. Snippet:
* Lazy consensus requires 3 binding +1 votes and no binding vetoes.
* A lazy majority vote requires 3 binding +1 votes and more binding +1 votes
tha
+-0
I have no strong opinion. I do believe that an informal consensus about our
best practice should be all we need. It should suffice when two pmc members
acknowledge both fix and official communication. My perception is that we
already do our best. Beyond that, it will always be a walk on the ed
While you may think they are just investigating the vulnerability there
really is a lot more that goes on behind the scenes. I know the second or third
CVE we
addressed took several days for me to be able to confirm it was actually a
vulnerability. I was quite surprised that the DNS system does
> -Original Message-
> From: Xeno Amess
> Sent: Monday, January 3, 2022 10:40 AM
>
> +0
>
> I just worried several things.
>
> 1. Will it make the cve's fix come out more slowly?
> A vote means waiting for 72 hours usually.
>
> 2. Do all PMC who enter the vote always have enough ability
These are two really good questions!
The 72 hours is recommended due to people being spread around the world and
people being unavailable due to pressing $dayjob or family items, weekends,
etc.
But in an emergency the voting period can be compressed. This PMC has done a
remarkably good job of
I would have recommended doing this vote by lazy consensus - i.e. you only
need to vote if you object, since we have previously discussed this and no
one seemed to object.
Ralph
> On Jan 3, 2022, at 4:59 AM, Volkan Yazıcı wrote:
>
> Hello,
>
> As discussed earlier[1], this is a vote to intro
It is already slow enough...
I submitted a vulnerability which I think at least can be 7 points, to an
apache project (not this one) the day before yesterday.
And they have not finished the investigation yet...two days already...
And considering this is in vocation, it is normal to assume the ac
+1
Ralph
> On Jan 3, 2022, at 4:59 AM, Volkan Yazıcı wrote:
>
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
>
>
+0
I just worried several things.
1. Will it make the cve's fix come out more slowly?
A vote means waiting for 72 hours usually.
2. Do all PMC who enter the vote always have enough ability and knowledge
for notifying how severe a vulnerability? Some vulnerabilities are, seems
small problem, noth
+1
-ck
> On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı wrote:
>
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.org` mailing list.
>
> [
[X] +1, accept the process
Gary
On Mon, Jan 3, 2022 at 6:59 AM Volkan Yazıcı wrote:
> Hello,
>
> As discussed earlier[1], this is a vote to introduce the process that
> enforces CVE submissions and their content should be first subject to
> voting using the (private) `secur...@logging.apache.or
Hello,
As discussed earlier[1], this is a vote to introduce the process that
enforces CVE submissions and their content should be first subject to
voting using the (private) `secur...@logging.apache.org` mailing list.
[] +1, accept the process
[] -1, object to the process because...
The vote wil
18 matches
Mail list logo
