Own mistakes
Own mistakes
Posted Aug 5, 2017 2:12 UTC (Sat) by gdt (subscriber, #6284)In reply to: Own mistakes by smurf
Parent article: Waiting for AOO
If these minutes came to me for approval I too would have squashed "at least one security fix in the under-development-release". It's not the role of board minutes to notify clients of security issues; they are not a forum clients can be expected to monitor for this information. Due to an unfortunate operation of the law, board members often have only an "accept or reject item" option for altering board minutes, so I would have sadly asked for "reject" and perhaps asked the chair for more acuity from their staff when noting this topic in the future. I wouldn't read much into the deletion, beyond a board operating normally.
Posted Aug 7, 2017 13:03 UTC (Mon)
by tialaramex (subscriber, #21167)
[Link]
But Apache policy is to only put up the report (from groups like AOO) when the minutes are approved. _Then_ after they'd been published (so that the Wayback Machine has a copy even, so we're not talking about 30 seconds) the minutes were altered. So either the originally published minutes aren't the ones agreed by the board, or these aren't, and I don't much care which because either way I can't trust their records.
It also doesn't achieve any supposed security goal, bad guys don't have to accept that you've rescinded your previous announcement and are now claiming not to have security problems, they can read the original version. It's the same mistake as when people figure that they'll "undo" the damage from publishing their private keys to github by asking github to purge the data. It's a Pandora's box, you can't unopen it, that's just not how information works. The only thing achieved was to mislead researchers foolish enough to believe the ASF about their own projects.
Own mistakes