Packager responsibilities and violation of trust

Ethan Blanton elb at
Mon Jul 19 11:48:33 EDT 2010


It appears likely that you have violated our trust in belonging to the
packagers list for Pidgin, which receives security vulnerability
information ahead of time so that distributions may prepare for
coordinated release of vulnerability fixes.  This URL was brought to
our attention on packagers (of which you are probably aware):

That patch was an embargoed (until August 5, when the coordinated
2.7.2 release was to occur) fix for an as-yet-undisclosed security
vulnerability.  By releasing the patch before the embargo date, you
have compromised the disclosure process, preventing other packagers
and vendors from responsibly patching their distributions of
Pidgin/libpurple to be released on the day of the vulnerability

You were allowed onto packagers at on the condition that you
keep the information on that list private and secure, so that you
could release coordinated fixes for Arch Linux.

I do not have any immediate plans to remove you from the packagers
list, but we will certainly be discussing this situation.  I trust
that, in the meantime, you will not disclose any more information from
that list until you are explicitly allowed to do so.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the security mailing list