[DISCUSS\[VOTE] CVE creation process

[Ralph Goers <ra...@dslextreme.com>]

These are two really good questions!

The 72 hours is recommended due to people being spread around the world and 
people being unavailable due to pressing $dayjob or family items, weekends, etc. 
But in an emergency the voting period can be compressed. This PMC has done a 
remarkably good job of completing several release votes in a short period of time 
over the last few weeks.

The PMC has several forms of communication we take advantage of. Although not 
all PMC members are familiar with the code in each project we all are pretty good 
at grasping the concepts at a detailed enough level to participate in the conversation 
and form an opinion.

Ralph

> On Jan 3, 2022, at 8:39 AM, Xeno Amess <xe...@gmail.com> wrote:
> 
> +0
> 
> I just worried several things.
> 
> 1. Will it make the cve's fix come out more slowly?
> A vote means waiting for 72 hours usually.
> 
> 2. Do all PMC who enter the vote always have enough ability and knowledge
> for notifying how severe a vulnerability? Some vulnerabilities are, seems
> small problem, nothing at all, but would actually do very much damage.
> 
> 
> Carter Kozak <ck...@ckozak.net> 于2022年1月3日周一 22:53写道：
> 
>> +1
>> 
>> -ck
>> 
>>> On Jan 3, 2022, at 6:59 AM, Volkan Yazıcı <vo...@yazi.ci> wrote:
>>> 
>>> Hello,
>>> 
>>> As discussed earlier[1], this is a vote to introduce the process that
>>> enforces CVE submissions and their content should be first subject to
>>> voting using the (private) `security@logging.apache.org` mailing list.
>>> 
>>> [] +1, accept the process
>>> [] -1, object to the process because...
>>> 
>>> The vote will remain open for 72 hours (or more if required). All
>>> votes are welcome and we encourage everyone to participate, but only
>>> Logging PMC votes are “officially” counted. As always, at least 3 +1
>>> votes and more positive than negative votes are required.
>>> 
>>> Kind regards.
>>> 
>>> [1] https://lists.apache.org/thread/qd7mr5pt9kby3lkz4j49304tkqgm9yhl
>> 
>>