Date: Fri, 17 Jan 2003 19:16:28 -0500 (EST) From: John Baldwin <jhb@FreeBSD.org> To: Juli Mallett <jmallett@FreeBSD.org> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, Martin Blapp <mb@imp.ch>, Nate Lawson <nate@root.org>, Gregory Sutter <gsutter@zer0.org>, Alfred Perlstein <bright@mu.org>, "Bruce A. Mah" <bmah@FreeBSD.org> Subject: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lo Message-ID: <XFMail.20030117191628.jhb@FreeBSD.org> In-Reply-To: <20030117155605.A4640@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 17-Jan-2003 Juli Mallett wrote: > * De: "Bruce A. Mah" <bmah@FreeBSD.org> [ Data: 2003-01-17 ] > [ Subjecte: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c > src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind > rpcb_svc_ >> If memory serves me right, Alfred Perlstein wrote: >> > * Gregory Sutter <gsutter@zer0.org> [030117 14:09] wrote: >> > > >> > > Ah, right. An immediate message to developers and later forced >> > > commit. Somehow I misread that the first time such that both the >> > > message and the forced commit would come only after the public >> > > release of security information. Sorry. >> > > >> > > What do you think of codifying the situation in the Committer's Guide? >> > >> > I think it's a great idea, when will you be done? :) >> >> It sounds to me like you (pl.) are advocating early disclosure of >> security vulnerability information to a set of several hundred people, >> at a time when generally, only a handful of people have need-to-know. >> >> (In case it's not clear, this idea scares me greatly.) > > We just need to know that there *is* a security-related aspect to what > has been committed, and that we should await further info. No, that gives you a reason to possibly go look at it to try and figure out what the fixed bug was. Instead, you just need to trust that during a release freeze the folks on re@ are not a bunch of boneheads and if that they sign off on something, they have a good reason for it. The so@ folks don't tell developers@ everytime they learn of a vulnerability, so I don't see why we need a different rule for quick MFC's during a release freeze. -- John Baldwin <jhb@FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.20030117191628.jhb>