Date: Fri, 17 Jan 2003 14:02:54 -0800 From: Juli Mallett <jmallett@FreeBSD.org> To: Gregory Sutter <gsutter@zer0.org> Cc: Alfred Perlstein <bright@mu.org>, Nate Lawson <nate@root.org>, Martin Blapp <mb@imp.ch>, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind rpcb_svc_com Message-ID: <20030117140254.A96500@FreeBSD.org> In-Reply-To: <20030117215606.GA29071@klapaucius.zer0.org>; from gsutter@zer0.org on Fri, Jan 17, 2003 at 01:56:06PM -0800 References: <20030116185752.L98919@levais.imp.ch> <Pine.BSF.4.21.0301161015050.46845-100000@root.org> <20030116185115.GQ33821@elvis.mu.org> <20030117215606.GA29071@klapaucius.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
* De: Gregory Sutter <gsutter@zer0.org> [ Data: 2003-01-17 ] [ Subjecte: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind rpcb_svc_ > On 2003-01-16 10:51 -0800, Alfred Perlstein <bright@mu.org> wrote: > > In the light of the security issues here and request for silence > > about the issue, perhaps we can post a followup to -developers after > > such a commit and at a later date follow up with a forced commit > > when things are "safe" to completely explain the issue. > > That is excellent advice on a subject that has come up before and > surely will again. Perhaps it should be codified in the Committers' > Guide? > > The only change I'll suggest is that the followup be sent to > cvs-committers and cvs-all instead of developers; more than just > those with CVS privileges follow the commit logs, and I'm sure all > will be interested in reading the commit logs and followup messages > so they can better judge their systems' vulnerability. They will find out when the forced commit happens, in such a scenario. If the vulnerability cannot be disclosed immediately, then other developers should probably be made aware that there *IS* one, and that information is comign, at the very least. Otherwise, keeping it quiet can be good. -- Juli Mallett <jmallett@FreeBSD.org> AIM: BSDFlata -- IRC: juli on EFnet. OpenDarwin, Mono, FreeBSD Developer. ircd-hybrid Developer, EFnet addict. FreeBSD on MIPS-Anything on FreeBSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030117140254.A96500>