reporter on deadline seeks comment about reported security bug
wmoran at potentialtech.com
Tue Sep 15 11:18:45 UTC 2009
Mel Flynn <mel.flynn+fbsd.questions at mailing.thruhere.net> wrote:
> On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai at gmail.com wrote:
> > > Am 2009/9/14 Dan Goodin <dgoodin at sitpub.com> writhed:
> > > > Hello,
> > > >
> > > > Dan Goodin, a reporter at technology news website The Register.
> > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4
> > > > of FreeBSD has a security bug. He says he notified the FreeBSD
> > > > Foundation on August 29 and never got a response. We'll be writing a
> > > > brief article about this. Please let me know ASAP if someone cares to
> > > > comment.
> > >
> > > Has anyone submitted a PR about this?
> > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
> > submitted then one has *not* informed the Powers That Be.
> Wrong. Security bugs should be reported to the security team, not PR'd.
It's typical for security issues to be kept hushed until a fix is ready.
As a result, there are usually no PRs, and in the case where the person
who discovered the problem is amenable, there is no public discussion at
all until a fix is available.
Apparently, Mr. Frasunek started out down that path, which is admirable.
It seems as if he doesn't have much patience, however, since he thinks
that only 2 weeks is enough time to fix a security problem and QA the fix.
More information about the freebsd-questions