On 5 March 2013 08:46, Andrea Pescetti <pesce...@apache.org> wrote: > Daniel Shahaf wrote: > >> if somebody replies to your post and says "Hey, >> false negative", you really want_that_ to happen privately. >> > > That was my concern too. Jan is perfectly right that he merely forwarded a > public security announcements, and that there is absolutely nothing wrong > in this in itself, but it's better to avoid the (admittedly remote, in this > case) possibility that someone exposes a security risk while commenting. > Take this as a generic practice; we had similar discussions about > vulnerabilities found in libraries, for example; and the common advice is > not to discuss security-related practices in public. >
I did not take it personally, but I do not understand how we can discuss an issue on a mailing list where most of the people needed for the discussion do not have access. Please remember my purpose, we need 2-3 volunteers to test the update. Had it been a real security update (it does contain other fixes as well), I would simply have applied it after a short discussion on IRC. But I do honestly think that escalating a non-issue like this to r...@apache.org is wrong and that was why I reacted. Instead of discussing what I should have done (and making me think "why do I care", maybe we could concentrate on whether or not it should be applied, and if there are any volunteers to test it. thx in advance. > > Regards, > Andrea. > > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > dev-unsubscribe@openoffice.**apache.org<dev-unsubscr...@openoffice.apache.org> > For additional commands, e-mail: dev-h...@openoffice.apache.org > >
