Date: Fri, 17 Jan 2003 14:09:37 -0800 From: Gregory Sutter <gsutter@zer0.org> To: Juli Mallett <jmallett@FreeBSD.org> Cc: Alfred Perlstein <bright@mu.org>, Nate Lawson <nate@root.org>, Martin Blapp <mb@imp.ch>, cvs-all@FreeBSD.org, cvs-committers@FreeBSD.org Subject: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind rpcb_svc_com Message-ID: <20030117220937.GV2964@klapaucius.zer0.org> In-Reply-To: <20030117140254.A96500@FreeBSD.org> References: <20030116185752.L98919@levais.imp.ch> <Pine.BSF.4.21.0301161015050.46845-100000@root.org> <20030116185115.GQ33821@elvis.mu.org> <20030117215606.GA29071@klapaucius.zer0.org> <20030117140254.A96500@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--4YkaNtrv9TjfxRWe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2003-01-17 14:02 -0800, Juli Mallett <jmallett@FreeBSD.org> wrote: > * De: Gregory Sutter <gsutter@zer0.org> [ Data: 2003-01-17 ] > > On 2003-01-16 10:51 -0800, Alfred Perlstein <bright@mu.org> wrote: > > > In the light of the security issues here and request for silence > > > about the issue, perhaps we can post a followup to -developers after > > > such a commit and at a later date follow up with a forced commit > > > when things are "safe" to completely explain the issue. > >=20 > > That is excellent advice on a subject that has come up before and > > surely will again. Perhaps it should be codified in the Committers' > > Guide? > >=20 > > The only change I'll suggest is that the followup be sent to > > cvs-committers and cvs-all instead of developers; more than just > > those with CVS privileges follow the commit logs, and I'm sure all > > will be interested in reading the commit logs and followup messages > > so they can better judge their systems' vulnerability. >=20 > They will find out when the forced commit happens, in such a scenario. > If the vulnerability cannot be disclosed immediately, then other develope= rs > should probably be made aware that there *IS* one, and that information > is comign, at the very least. Otherwise, keeping it quiet can be good. Ah, right. An immediate message to developers and later forced commit. Somehow I misread that the first time such that both the message and the forced commit would come only after the public release of security information. Sorry. What do you think of codifying the situation in the Committer's Guide? Greg --=20 Gregory S. Sutter Fighting ignorance since 1975! mailto:gsutter@zer0.org (It's taking longer than I thought.) http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD --4YkaNtrv9TjfxRWe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQE+KH8hIBUx1YRd/t0RAj8cAJ4tPk6BrJg2Jdg+YNNMH4JkWx+2NACcDAuZ UuEMdq6BEWw/SJeBDgYHSVI= =AssI -----END PGP SIGNATURE----- --4YkaNtrv9TjfxRWe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030117220937.GV2964>