FYI: Fix PR632: patches/security/20110215/6878713.patch breaks shark zero build
Matthias Klose
doko at ubuntu.com
Mon Feb 21 02:28:16 PST 2011
On 21.02.2011 10:42, Andrew Haley wrote:
> On 02/21/2011 09:02 AM, Mark Wielaard wrote:
>>
>> On Thu, 2011-02-17 at 21:02 +0000, Dr Andrew John Hughes wrote:
>>> On 19:36 Thu 17 Feb , Mark Wielaard wrote:
>
>>>> You committed a patch, that you didn't discuss on the list, which
>>>> broke the zero/shark configuration that Xerxes and I care about.
>>>
>>> In fairness, I can't really discuss embargoed security issues :-D
>>
>> We probably should discuss that a bit more. It was unfair of me to
>> treat these as if the were "normal" patches. You take these security
>> issues on, and really do make sure they get applied as soon as
>> possible, when the underlying issues are announced to the world at
>> large. But we might need a bit more formal "security team" approach
>> to make sure you don't get overwhelmed by them. Should we start a
>> new thread on how to get more help with this process? I admit to not
>> exactly know how you get into possession of these embargoed security
>> fixes ahead of time, who embargoes them, what the process is if the
>> happen to become public before the embargo date, or who else is
>> involved, etc.
>
> The group of people who are involved is limited to a few named
> individuals.
yes, and this really sucks. Sun didn't and Oracle doesn't reach out beyond these
individuals. And these individuals only get information about issues in the
proprietary sun-java version, which have to be adjusted for OpenJDK, and even
then this information was more than once incomplete. Andrew Hughes tries to
compensate and coordinate for IcedTea, but this is really something which could
be done on the OpenJDK side. CC'ing Dalibor on input, he still seems to be the
OpenJDK community contact within Oracle.
> This process comes from CERT, http://www.cert.org, which came into
> being after the Internet Worm. Oracle handle the reports via the
> CVE database at http://cve.mitre.org/.
Is this so? In the past I did see CVE's submitted by RedHat, not by Oracle (even
for OpenJDK issues not related to IcedTea).
Matthias
More information about the distro-pkg-dev
mailing list