7:58 a.m.
Hi,
With regard to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757:
- I can't find 2.0.30.sp1 and 2.1.0 final tags in
https://github.com/undertow-io/undertow .
- In binary form, I can find 2.1.0.Final in maven central repository, but
2.0.30.sp1 is not available there either.
Francisco A. Lozano
10:48 a.m.
Hi Francisco
The SP tags are done in Red Hat internal product repositories.
The 2.1.0.Final? is uploaded to the github.repo.
Regards,
Flavia
On Wed, Apr 22, 2020 at 9:59 AM Francisco A. Lozano <flozano(a)gmail.com>
wrote:
Hi,
With regard to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757:
- I can't find 2.0.30.sp1 and 2.1.0 final tags in
https://github.com/undertow-io/undertow .
- In binary form, I can find 2.1.0.Final? in maven central repository,
but 2.0.30.sp1 is not available there either.
Francisco A. Lozano
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
--
Flavia Rainone
Principal Software Engineer
Red Hat <https://www.redhat.com>
frainone(a)redhat.com
<https://www.redhat.com>
12:36 p.m.
Hi,
So the SP tags are not created in the open-source repositories as a rule?
(and of course neither are binaries published in maven)?
Are you implying that RH is not releasing "SP" fixes in 2.0.X as
open-source in the normal repos?
If that is the case, I'd like to understand fully what is the policy for
releasing bug-fixes, security fixes and such. Is there any document that
explains such policy? I have built stuff that right now depends on 2.0.X,
as many others I guess, based in (wrong?) assumptions about the open-ness
of this project.
br,
Francisco A. Lozano
El lun., 27 abr. 2020 a las 17:49, Flavia Rainone (<frainone(a)redhat.com>)
escribió:
Hi Francisco
The SP tags are done in Red Hat internal product repositories.
The 2.1.0.Final? is uploaded to the github.repo.
Regards,
Flavia
On Wed, Apr 22, 2020 at 9:59 AM Francisco A. Lozano <flozano(a)gmail.com>
wrote:
> Hi,
> With regard to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757:
>
> - I can't find 2.0.30.sp1 and 2.1.0 final tags in
> https://github.com/undertow-io/undertow .
> - In binary form, I can find 2.1.0.Final? in maven central repository,
> but 2.0.30.sp1 is not available there either.
>
> Francisco A. Lozano
> _______________________________________________
> undertow-dev mailing list
> undertow-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
--
Flavia Rainone
Principal Software Engineer
Red Hat <https://www.redhat.com>
frainone(a)redhat.com
<https://www.redhat.com>
8:04 p.m.
So the .SP releases are a bit different to what other projects do.
In general all work except for embargoed security issues are pushed
upstream first, and these are also pushed upstream once the embargo is
lifted. This means that once the embargo is lifted and security patches are
pushed upstream the SP releases are a strict subset of the current upstream
branches.
The reason for this is that EAP does not want every commit, as it aims to
provide a very stable environment so the number of changes that go into a
release are limited to issues that actually affect EAP. For a commit to go
into EAP it also needs to be tested and verified by the Red Hat QE, and
they can only test so much.
That said I don't think there is any particular reason why we don't push
the tags after embargo has been lifted, mostly just that nobody has asked
for them. Really though there is no reason to use a SP release over the
latest community version, as the SP releases are based on the requirements
of EAP and not the community at large.
Stuart
On Tue, 28 Apr 2020 at 03:41, Francisco A. Lozano <flozano(a)gmail.com> wrote:
Hi,
So the SP tags are not created in the open-source repositories as a rule?
(and of course neither are binaries published in maven)?
Are you implying that RH is not releasing "SP" fixes in 2.0.X as
open-source in the normal repos?
If that is the case, I'd like to understand fully what is the policy for
releasing bug-fixes, security fixes and such. Is there any document that
explains such policy? I have built stuff that right now depends on 2.0.X,
as many others I guess, based in (wrong?) assumptions about the open-ness
of this project.
br,
Francisco A. Lozano
El lun., 27 abr. 2020 a las 17:49, Flavia Rainone (<frainone(a)redhat.com>)
escribió:
> Hi Francisco
>
> The SP tags are done in Red Hat internal product repositories.
>
> The 2.1.0.Final? is uploaded to the github.repo.
>
> Regards,
> Flavia
>
> On Wed, Apr 22, 2020 at 9:59 AM Francisco A. Lozano <flozano(a)gmail.com>
> wrote:
>
>> Hi,
>> With regard to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757
>> :
>>
>> - I can't find 2.0.30.sp1 and 2.1.0 final tags in
>> https://github.com/undertow-io/undertow .
>> - In binary form, I can find 2.1.0.Final? in maven central repository,
>> but 2.0.30.sp1 is not available there either.
>>
>> Francisco A. Lozano
>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>
>
> --
>
> Flavia Rainone
>
> Principal Software Engineer
>
> Red Hat <https://www.redhat.com>
>
> frainone(a)redhat.com
> <https://www.redhat.com>
>
_______________________________________________
undertow-dev mailing list
undertow-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev
1714
days inactive
1720
days old
3 comments
3 participants
participants (3)
-
Flavia Rainone -
Francisco A. Lozano -
Stuart Douglas