Remote crashes being fixed in 2.6.2
Mark Doliner
mark at kingant.net
Wed Sep 9 18:51:20 EDT 2009
On Wed, Sep 9, 2009 at 1:07 PM, Josh Bressers<bressers at redhat.com> wrote:
> ----- "Paul Aurich" <paul at darkrain42.org> wrote:
>
>> Per Warren's request, this is a list of remote crashes being fixed in
>> 2.6.2. The XMPP crash, at the least, probably impacts everything back
>> to and including 2.5.2 (when that support was added). I don't know
>> about the others.
>>
>
> Warren asked me to start a conversation about security flaw handling in
> Pidgin. Right now it's a bit uneven, the goal should be to provide a
> consistent response every time a security flaw is found and fixed.
>
> I'm not sure what sort of current internal infrastructure Pidgin has to deal
> with security flaws right now, so initially I'm happy to just listen.
>
> As some background, I help a number of different Open Source projects do just
> this sort of thing. It's annoying work, but if it's done properly, it helps
> everyone from developers, to distros, to users.
Are there specific things you think we need to improve?
Things we try to do now:
* If someone reports a problem to us privately, keep the problem
confidential until an agreed upon embargo date
* Notify the packages list about the problem, what versions is
affects, what the solution is, whether its public, the disclosure
date, and provide a patch if possible
* On the agreed upon day, check in the fix, add it to our security
page, build updated packages
-Mark
More information about the Packagers
mailing list