Questions about Pidgin security fix release
mark at kingant.net
Tue Aug 9 17:02:00 EDT 2011
We have a few security fixes we need to release soon:
1. Remote crash in IRC prpl from non-ascii chars in a user's nickname
2. Remote crash in MSN prpl from improper handling of HTTP 100 Continue
3. The silly file:// execution thing
4. Possibly any bugs found by the EFF guys, but seems unlikely
Should we create a 2.9.1 release that contains only the fixes for
these bugs (and possible a few other important bug fixes)? Or should
we just release everything in im.pidgin.pidgin as 2.10.0?
We need to pick a date to lift the embargo. If we do 2.9.1 it could
be as soon as Friday. If we do 2.10.0 it seems like we might want to
give translators a little time, in which case maybe we could release
during the second half of next week? Maybe August 18?
My vote is 2.10.0 (because it's less work than creating a 2.9.1), and
August 18 (should give enough time for translators and packagers).
More information about the security