Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Sep 2017 14:06:54 -0400
From: Leo Famulari <>
Subject: Re: Why send bugs embargoed to distros?

On Mon, Sep 25, 2017 at 02:52:13PM +0100, Cliff Perry wrote:
> On 23/09/17 12:44, Hanno Böck wrote:
> > b) if people think that they'd usually prepare a fixed package, however
> > they didn't consider optionsbleed important enough. (Naturally I
> > probably have a bias seeing my findings as more important as other
> > people, but I could live with that.)

Guix is not on the distros lists, but sometimes upstream projects
contact us privately with pre-release embargoed bug fixes. We will test
and prepare the updated packages during the embargo period whether or
not we thing the bugs warrant an embargo.

> Hi Hanno,
> The detail of your report was good quality and I'm sure appreciated by
> everyone who needed to review it. I know that for Red Hat the
> pre-disclosure was useful.

Agreed, your reports are very useful to us, whether we read them in the
pre-release period, or after they have been disclosed publicly.

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ