FYI: Fix PR632: patches/security/20110215/6878713.patch breaks shark zero build
Andrew Haley
aph at redhat.com
Mon Feb 21 01:42:40 PST 2011
On 02/21/2011 09:02 AM, Mark Wielaard wrote:
>
> On Thu, 2011-02-17 at 21:02 +0000, Dr Andrew John Hughes wrote:
>> On 19:36 Thu 17 Feb , Mark Wielaard wrote:
>>> You committed a patch, that you didn't discuss on the list, which
>>> broke the zero/shark configuration that Xerxes and I care about.
>>
>> In fairness, I can't really discuss embargoed security issues :-D
>
> We probably should discuss that a bit more. It was unfair of me to
> treat these as if the were "normal" patches. You take these security
> issues on, and really do make sure they get applied as soon as
> possible, when the underlying issues are announced to the world at
> large. But we might need a bit more formal "security team" approach
> to make sure you don't get overwhelmed by them. Should we start a
> new thread on how to get more help with this process? I admit to not
> exactly know how you get into possession of these embargoed security
> fixes ahead of time, who embargoes them, what the process is if the
> happen to become public before the embargo date, or who else is
> involved, etc.
The group of people who are involved is limited to a few named
individuals.
This process comes from CERT, http://www.cert.org, which came into
being after the Internet Worm. Oracle handle the reports via the
CVE database at http://cve.mitre.org/.
Andrew.
More information about the distro-pkg-dev
mailing list