On 7/4/16 11:26 PM, Aaron Bauman wrote: > > Finally, that does not dissolve the developer of providing usable, > substantiated, and verifiable information regarding the > vulnerabilities. The idea that a developer gets to choose whether or > not they do so should not be considered. Anthony's verbiage on Freenode > was very frank, in that if he chose to do so he would. We ask for all > developers to assist and work together with us to fix these issues. You > can see the fruits of such information from the developer following Alex > Legler's comments on the bug and my follow up actions. > > -Aaron >
1) In bug #473770 upstream gave sufficient information. I stated so in comments #1 and #2 with links. You ignored this fact and proceeded to p.mask in comment #3. This CVE should never have been filed. Its junk. 2) Bug #459274 is not a security bug. A CVE request was filed by Ago which, as far as I can tell, went no where. The log file in question does not disclose much more than one could obtain with just ps and netstat. I fixed a related issue with access.log in bug #459274. 3) My point on IRC is that you are acting on junk CVEs and I question your judgment. You can't produce "substantiated and verifiable information" on junk. Your above paragraph eclipses that side of my argument and strawmans me. I personally would like to see only QA oversee any forced p.maskings and have the security team pass that task over to QA for review. By forced I mean without the cooperation of the maintainer. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197
