Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Sep 2017 14:06:54 -0400
From: Leo Famulari <leo@...ulari.name>
To: oss-security@...ts.openwall.com
Subject: Re: Why send bugs embargoed to distros?

On Mon, Sep 25, 2017 at 02:52:13PM +0100, Cliff Perry wrote:
> On 23/09/17 12:44, Hanno Böck wrote:
> > b) if people think that they'd usually prepare a fixed package, however
> > they didn't consider optionsbleed important enough. (Naturally I
> > probably have a bias seeing my findings as more important as other
> > people, but I could live with that.)

Guix is not on the distros lists, but sometimes upstream projects
contact us privately with pre-release embargoed bug fixes. We will test
and prepare the updated packages during the embargo period whether or
not we thing the bugs warrant an embargo.

> Hi Hanno,
> The detail of your report was good quality and I'm sure appreciated by
> everyone who needed to review it. I know that for Red Hat the
> pre-disclosure was useful.

Agreed, your reports are very useful to us, whether we read them in the
pre-release period, or after they have been disclosed publicly.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.