THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- When a serious security issue arises, we should try to create a
#.#.#.X
branch from the last GA release, and apply to that branch only
the security patch. - If the patch first applies to some other dependency, implore the other group to do the same, to avoid side-effects from other changes.
- If the release manager would like to "fast track" a vote, so as to make a security fix available quickly, the preferred procedure is to
Include the term "fast-track" in the subject, as in {{\Wiki Markup [VOTE
\]
Struts
2.0.9.1
quality
(fast
track)
}}- In the vote message, specify voting terms like:
No Format |
---|
The Struts #.#.#.# test build is now available. (optional (in case of the presence of security bulletin) It includes the latest security patches which fix two possible vulnerabilities: * ... * ... For details and the rationale behind these changes, please consult the corresponding security bulletins: * https://cwiki.apache.org/confluence/display/WW/S2-XXX * https://cwiki.apache.org/confluence/display/WW/S2-XXX Please note that currently these bulletins and the release notes are only visible to logged-in users with the struts-committer role. This is a needed requirement to control disclosure until the actual release is announced. (/optional) Release notes: * [https://cwiki.apache.org/confluence/display/WW/Version+Notes+#.#.#.#] Distribution: * [http://people.apache.org/builds/struts/#.#.#.#/] Maven 2 staging repository: * [https://repository.apache.org/content/groups/staging/org/apache/struts/] Once you have had a chance to review the test build, please respond with a vote on its quality: [ ] Leave at test build [ ] Alpha [ ] Beta [ ] General Availability (GA) Everyone who has tested the build is invited to vote. Votes by PMC members are considered binding. A vote passes if there are at least three binding +1s and more +1s than -1s. This is a "fast-track" release vote. If we have a positive vote after 24 hours (at least three binding +1s and more +1s than -1s), the release may be submitted for mirroring and announced to the usual channels. The website download link will include the mirroring timestamp parameter [1], which limits the selection of mirrors to those that have been refreshed since the indicated time and date. (After 24 hours, we *must* remove the timestamp parameter from the website link, to avoid unnecessary server load.) In the case of a fast-track release, the email announcement will not link directly to <download.cgi>, but to <downloads.html>, so that we can control use of the timestamp parameter. [1] <[http://apache.org/dev/mirrors.html#use|http://apache.org/dev/mirrors.html#use]> - The Apache Struts group. |
Please be sure to update Security Bulletins accordingly as described above.