You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by cm...@apache.org on 2010/03/10 16:03:02 UTC
svn commit: r921380 - /subversion/site/publish/security/index.html
Author: cmpilato
Date: Wed Mar 10 15:03:02 2010
New Revision: 921380
URL: http://svn.apache.org/viewvc?rev=921380&view=rev
Log:
* site/publish/security/index.html
Update the instructions on this page to point folks who need to report
security vulnerabilities in Subversion toward the ASF Security team.
Modified:
subversion/site/publish/security/index.html
Modified: subversion/site/publish/security/index.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/security/index.html?rev=921380&r1=921379&r2=921380&view=diff
==============================================================================
--- subversion/site/publish/security/index.html (original)
+++ subversion/site/publish/security/index.html Wed Mar 10 15:03:02 2010
@@ -17,49 +17,31 @@
<h1>Subversion Security</h1>
-<p>If you discover a security vulnerability in Subversion, please
-email this address:</p>
-<!-- See http://www.cdt.org/speech/spam/030319spamreport.shtml for
- evidence that this has some effect. -->
-<blockquote>
-<p><strong><span>s</span><span>v</span><span>n</span><span>s</span><span>e</span><span>c</span><span>u</span><span>r</span><span>i</span><span>t</span><span>y</span><span> </span><span>{</span><span>@</span><span>}</span><span> </span><span>r</span><span>e</span><span>d</span><span>-</span><span>b</span><span>e</span><span>a</span><span>n</span><span>.</span><span>c</span><span>o</span><span>m</span></strong></p>
-</blockquote>
-
-<p>(Take off the spaces and curly braces, of course.)</p>
-
-<p>It is safe to send sensitive reports to this address: list
-membership is controlled, and the archives are not publicly
-accessible. <strong style="color: red">Please do not reproduce the
-above email address on other web pages or in public postings.</strong>
-Due to the need for responsiveness, the security list is unmoderated,
-which makes it particularly vulnerable to spammers. We want to avoid
-changing the list address, because it's good to have a consistent,
-dependable place to report security holes. We've taken steps to make
-the address above less likely to be harvested by spammers, but your
-assistance here in this matter is critical.</p>
-
-<h2>Security Prodecure</h2>
-
-<p>We take security very seriously. Upon receiving your report at the
-above email address, we will do the following:</p>
-
-<ol>
- <li>Analyze your report.</li>
-
- <li>Make a fix for the vulnerability.</li>
-
- <li>Discreetly distribute the fix to a few large sites that run
- Subversion servers and are trusted to be discreet themselves.</li>
-
- <li>Simultaneously release a new version of Subversion (containing
- just that fix) and publicly announce the vulnerability it
- fixes.</li>
-</ol>
-
-<p>This procedure may vary depending on the nature of the
-vulnerability and the degree of pre-existing public awareness, of
-course.</p>
+<div class="bigpoint">
+
+<p>The Apache Software Foundation provides a framework and team of
+ folks for handling reports of security vulnerabilities. If you
+ discover a security vulnerability in Apache Subversion, please
+ follow the instructions found here:</p>
+
+<p><a href="http://www.apache.org/security/"
+ >http://www.apache.org/security/</a></p>
+
+</div> <!-- .bigpoint -->
+
+<p>The Subversion development community takes security very seriously.
+ One way we demonstrate this is by not pretending to be cryptography
+ or security experts. Rather than writing a bunch of proprietary
+ security mechanisms for Subversion, we prefer instead to teach
+ Subversion to interoperate with security libraries and protocols
+ provided by those with knowledge of that space. For example,
+ Subversion defers wire encryption to the likes of OpenSSL. It
+ defers authentication and basic authorization to those mechanisms
+ provided by Cyrus SASL or by the Apache HTTP Server and its rich
+ collection of modules. To the degree that we can leverage the
+ knowledge of security experts by using the third-party libraries
+ and APIs they provide, we will continue to do so.</p>
<h2>Previous Security Advisories</h2>