Mel Flynn <mel.flynn+fbsd.questi...@mailing.thruhere.net> wrote: > > On Monday 14 September 2009 23:46:42 David Kelly wrote: > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, ill...@gmail.com wrote: > > > Am 2009/9/14 Dan Goodin <dgoo...@sitpub.com> writhed: > > > > Hello, > > > > > > > > Dan Goodin, a reporter at technology news website The Register. > > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 > > > > of FreeBSD has a security bug. He says he notified the FreeBSD > > > > Foundation on August 29 and never got a response. We'll be writing a > > > > brief article about this. Please let me know ASAP if someone cares to > > > > comment. > > > > > > Has anyone submitted a PR about this? > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not > > submitted then one has *not* informed the Powers That Be. > > Wrong. Security bugs should be reported to the security team, not PR'd.
It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. -- Bill Moran http://www.potentialtech.com _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"