Remote crashes being fixed in 2.6.2
Ethan Blanton
elb at pidgin.im
Wed Sep 9 20:58:22 EDT 2009
Josh Bressers spake unto us the following wisdom:
> Warren asked me to start a conversation about security flaw handling in
> Pidgin. Right now it's a bit uneven, the goal should be to provide a
> consistent response every time a security flaw is found and fixed.
>
> I'm not sure what sort of current internal infrastructure Pidgin has to deal
> with security flaws right now, so initially I'm happy to just listen.
We don't really have one, and that's the problem. :-) While you were
away, we had a NULL pointer dereference disclosure go to the
development mailing list with a proof-of-concept exploit attached,
because the discoverer tried to contact a Pidgin developer, got no
response, and didn't know where to go next.
Since then, we have created a security at pidgin.im contact point which
contains a *number* of developers, changed pidgin.im/security to point
to this mailing list and include some disclosure guidance, and opened
this discussion. The latter web page is not yet really linked from
anywhere, as I was hoping to get some feedback on it before throwing
it out there.
We are aware that we have a coordination problem, and it shows up not
only in vulnerability handling, but in general releases and other
project administration. You could ask translators@ about it, too.
;-) We'd like to fix coordination issues as much as possible, with
the understanding that there's a fundamental underlying constraint
that most of our active developers seem to be desperately short of time
to work on Pidgin, lately.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090909/0a496355/attachment-0001.pgp>
More information about the Packagers
mailing list