[RESULT][VOTE] CVE creation process

[Volkan Yazıcı <vo...@yazi.ci>]

Hello,

This is the result of the vote introducing the process that enforces
CVE submissions[1] and their content to be first subject to voting by
means of "lazy approval"[2] using the (private)
`security@logging.apache.org` mailing list:

6x +1 (accepting the process), all binding
2x +0 (abstaining)

Details:

+1 (accepting the process):
Ralph Goers (binding)
Gary Gregory (binding)
Christian Grobmeier (binding)
Carter Kozak (binding)
Matt Sicker (binding)
Volkan Yazıcı (binding)

+0:
Xeno Amess (non binding)
Dominik Psenner (binding)

The PMC decided unanimously to introduce the aforementioned CVE
creation process.

Kind regards,
Volkan

[1] Note that this process only involves the creation of CVEs and
doesn't interfere with any form of fixes or releases.
[2] An action with lazy approval is implicitly allowed unless a -1
vote is received, at which time, depending on the type of action,
either lazy majority or lazy consensus approval must be obtained. For
details see https://logging.apache.org/guidelines.html

Re: [RESULT][VOTE] CVE creation process

[Volkan Yazıcı <vo...@yazi.ci>]

Here it is: https://github.com/apache/logging-log4j2/pull/690

Mind somebody reviewing and merging it, please?

On Fri, Jan 7, 2022 at 1:35 PM Gary Gregory <ga...@gmail.com> wrote:

> Hi all,
>
> Where can we record this decision? In a text file in the repo? Wiki? Both?
>
> Gary
>
> On Fri, Jan 7, 2022, 05:22 Volkan Yazıcı <vo...@yazi.ci> wrote:
>
> > Hello,
> >
> > This is the result of the vote introducing the process that enforces
> > CVE submissions[1] and their content to be first subject to voting by
> > means of "lazy approval"[2] using the (private)
> > `security@logging.apache.org` mailing list:
> >
> > 6x +1 (accepting the process), all binding
> > 2x +0 (abstaining)
> >
> > Details:
> >
> > +1 (accepting the process):
> > Ralph Goers (binding)
> > Gary Gregory (binding)
> > Christian Grobmeier (binding)
> > Carter Kozak (binding)
> > Matt Sicker (binding)
> > Volkan Yazıcı (binding)
> >
> > +0:
> > Xeno Amess (non binding)
> > Dominik Psenner (binding)
> >
> > The PMC decided unanimously to introduce the aforementioned CVE
> > creation process.
> >
> > Kind regards,
> > Volkan
> >
> > [1] Note that this process only involves the creation of CVEs and
> > doesn't interfere with any form of fixes or releases.
> > [2] An action with lazy approval is implicitly allowed unless a -1
> > vote is received, at which time, depending on the type of action,
> > either lazy majority or lazy consensus approval must be obtained. For
> > details see https://logging.apache.org/guidelines.html
> >
>

Re: [RESULT][VOTE] CVE creation process

[Gary Gregory <ga...@gmail.com>]

Hi all,

Where can we record this decision? In a text file in the repo? Wiki? Both?

Gary

On Fri, Jan 7, 2022, 05:22 Volkan Yazıcı <vo...@yazi.ci> wrote:

> Hello,
>
> This is the result of the vote introducing the process that enforces
> CVE submissions[1] and their content to be first subject to voting by
> means of "lazy approval"[2] using the (private)
> `security@logging.apache.org` mailing list:
>
> 6x +1 (accepting the process), all binding
> 2x +0 (abstaining)
>
> Details:
>
> +1 (accepting the process):
> Ralph Goers (binding)
> Gary Gregory (binding)
> Christian Grobmeier (binding)
> Carter Kozak (binding)
> Matt Sicker (binding)
> Volkan Yazıcı (binding)
>
> +0:
> Xeno Amess (non binding)
> Dominik Psenner (binding)
>
> The PMC decided unanimously to introduce the aforementioned CVE
> creation process.
>
> Kind regards,
> Volkan
>
> [1] Note that this process only involves the creation of CVEs and
> doesn't interfere with any form of fixes or releases.
> [2] An action with lazy approval is implicitly allowed unless a -1
> vote is received, at which time, depending on the type of action,
> either lazy majority or lazy consensus approval must be obtained. For
> details see https://logging.apache.org/guidelines.html
>