Yoav Shapira wrote:
Hi,
On 2/20/07, Filip Hanik - Dev Lists <[EMAIL PROTECTED]> wrote:
sounds good, as long as we don't publish vulnerabilities until they are
indeed fix and the release has been voted stable
Agreed except the "stable" part. When the vulnerabilities have been
fixed in any release, including alpha / beta, they can be made public.
If the security issue is urgent there's likely to be a release with
nothing (or very little) except the security fix anyways. Those who
need to upgrade urgently can do so.
And I don't see the reasoning in that. You can safely assume that most
corporations will only put a "stable" version in their production
environment.
So lets say that there is a security vulnerability that has been fixed
in x.y.(z+1) version, but that version also has some serious issues
qualifying it as a alpha.
The consequence of this is that you are "advertising" a security
vulnerability to the world, and you are leaving your users with either
continue running a stable version that everyone knows how to exploit or
to upgrade to a non stable version.
Doesn't sound like a fair choice, does it?
Filip
Yoav
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
