[Advisories] Libpurple security vulnerability CORE-2009-0727
lschiere at pidgin.im
Thu Jul 30 22:46:14 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
On Jul 30, 2009, at 22:37 EDT, Stu Tomlinson wrote:
> On Fri, Jul 31, 2009 at 03:33, Luke Schierer<lschiere at pidgin.im>
>> To me the biggest question is can we *correctly* fix this issue
>> this time
>> around, since, if I read this report correctly, they are informing
>> us that
>> our previous fix didn't actually fix.
> Irrespective of whether we can fix it in time or not, I suggest
> delaying any further releases until we think we can fix it.
>> Given that we can, yes, I'd like to see the fixes come out in about
>> the same
>> timeframe as news of the vulnerability. but I recognize that we have
>> historically been really really bad about waiting for a truly co-
> And if we can't/don't have a fix yet/whatever you think we should
> press ahead and release unfixed shiny new features anyway?
The original email I received indicated that they may be willing to
hold off publishing if we can give them a realistic timeline for when
we could have it fixed by.
I hadn't really thought about the potential for releases between now
and then. I guess I just assumed that *if* we could fix it sooner,
and get the fix to our packagers sooner, then we'd tell Core Security
that they could publish sooner.
Now that you have me thinking about it, no, I don't think we should
release a 2.6.0 between now and fixing it, too many people would grab
that and neglect to grab a 2.6.1. If however there were something
other than this critical to fix, I don't think I'd object to having a
2.5.9 fixing something else before we fix this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
-----END PGP SIGNATURE-----
More information about the Packagers