Date: Mon, 25 Sep 2017 14:06:54 -0400 From: Leo Famulari <leo@...ulari.name> To: oss-security@...ts.openwall.com Subject: Re: Why send bugs embargoed to distros? On Mon, Sep 25, 2017 at 02:52:13PM +0100, Cliff Perry wrote: > On 23/09/17 12:44, Hanno Böck wrote: > > b) if people think that they'd usually prepare a fixed package, however > > they didn't consider optionsbleed important enough. (Naturally I > > probably have a bias seeing my findings as more important as other > > people, but I could live with that.) Guix is not on the distros lists, but sometimes upstream projects contact us privately with pre-release embargoed bug fixes. We will test and prepare the updated packages during the embargo period whether or not we thing the bugs warrant an embargo. > Hi Hanno, > The detail of your report was good quality and I'm sure appreciated by > everyone who needed to review it. I know that for Red Hat the > pre-disclosure was useful. Agreed, your reports are very useful to us, whether we read them in the pre-release period, or after they have been disclosed publicly. Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ