FYI: Fix PR632: patches/security/20110215/6878713.patch breaks shark zero build
Andrew Haley
aph at redhat.com
Mon Feb 21 02:49:17 PST 2011
On 02/21/2011 10:28 AM, Matthias Klose wrote:
> On 21.02.2011 10:42, Andrew Haley wrote:
>> On 02/21/2011 09:02 AM, Mark Wielaard wrote:
>>>
>>> On Thu, 2011-02-17 at 21:02 +0000, Dr Andrew John Hughes wrote:
>>>> On 19:36 Thu 17 Feb , Mark Wielaard wrote:
>>
>>>>> You committed a patch, that you didn't discuss on the list, which
>>>>> broke the zero/shark configuration that Xerxes and I care about.
>>>>
>>>> In fairness, I can't really discuss embargoed security issues :-D
>>>
>>> We probably should discuss that a bit more. It was unfair of me to
>>> treat these as if the were "normal" patches. You take these security
>>> issues on, and really do make sure they get applied as soon as
>>> possible, when the underlying issues are announced to the world at
>>> large. But we might need a bit more formal "security team" approach
>>> to make sure you don't get overwhelmed by them. Should we start a
>>> new thread on how to get more help with this process? I admit to not
>>> exactly know how you get into possession of these embargoed security
>>> fixes ahead of time, who embargoes them, what the process is if the
>>> happen to become public before the embargo date, or who else is
>>> involved, etc.
>>
>> The group of people who are involved is limited to a few named
>> individuals.
>
> yes, and this really sucks. Sun didn't and Oracle doesn't reach out
> beyond these individuals. And these individuals only get information
> about issues in the proprietary sun-java version,
That's rather unfair IMO.
> which have to be adjusted for OpenJDK, and even then this
> information was more than once incomplete. Andrew Hughes tries to
> compensate and coordinate for IcedTea, but this is really something
> which could be done on the OpenJDK side.
I think that it has to be individuals, for all the good
security-related reasons. You can't pass security bulletins to an
entire community. You have to bear in mind that Andrew Hughes is the
public face of a team that's working on these security-related
updates.
>> This process comes from CERT, http://www.cert.org, which came into
>> being after the Internet Worm. Oracle handle the reports via the
>> CVE database at http://cve.mitre.org/.
>
> Is this so?
Generally, yes.
Andrew.
More information about the distro-pkg-dev
mailing list