On Tue, Jun 12, 2012 at 2:40 AM, Thomas Goirand <z...@debian.org> wrote: > On 06/12/2012 02:23 AM, Aron Xu wrote: >> I'm not saying you are disclosing anything, but you are asking if >> someone knows it's in what status publicly in a Debian development >> mailing list. Then this may lead to some disclosing and even mislead >> some other people. Yes there are many people doing tests just like >> you, and they are reporting their results in many ways they prefer. >> But as you are a DD you'd better not ignore our Security Team when >> starting discussion publicly about a security incident your are not >> sure whether it's relevant to Debian. People at Security Team are not >> only responsible for fixing things when it breaks out, but also make >> sure sensitive information is being disclosed in a correct form at a >> correct time. In the end, I believe talking with them beforehand is >> always a right way to do, no matter if Debian is affected by this >> particular issue. >> > > The first time I wrote it, it wasn't clear enough. Maybe writing with > CAPS-ON will help your understanding! :) > > IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!! > > Do you get it now? :) >
It's YOU that didn't get my point, :) > With such security "glitch", how much do you expect from keeping > such a discussion secret, with the security team? I'm telling you, > you'd achieve absolutely nothing. Everyone will know so fast that > it doesn't mater at all. And it's better that everyone in Debian knows > about what's going on, so we have at least a little be of opportunity > to fix what can be before disasters. > I'm not expecting to hide anything, but it's harmful to announce the world by a discussion in debian-devel that we are affected with no solution provided, at the time related people (means the maintainers and Security Team, not including the user - like you) haven't said a word about it. If you are trying to informing people to act, then debian-devel is not a good place, because you can't expect all Debian users are following our mailing lists, it's YOU want to be sure for something, then confirm with mysql's maintainer and/or Security Team will give you a certain answer. debian-devel is not a place for collecting random trying discoveries for security related issues anyway. -- Regards, Aron Xu -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAMr=8w7wdcxsinarakgyjmcunbsdachultnyroj4_0b1k4z...@mail.gmail.com