On Fri, May 9, 2014 at 5:58 PM, Jonathan Moules <
[email protected]> wrote:
> I'm not sure I'd agree with Andrea's assessment of there only being two
> ways to divulge a bug. Per my original post, there is the third way:
> Responsible disclosure, and it is compatible with Open Source. The notion
> behind it is that only developers get informed of the bug until a patch is
> ready so as to minimise the risk of raising awareness\use by blackhats
> before it can be defended against. Once a patch is developed (in a timely
> fashion!), information is disclosed to all.
> There are advantages and disadvantages to all methods.
>
This works under the assumption that someone will take out a sunday to
develop the security patch.
Which does not match reality, we have a pull request against a old version
of GeoServer
to fix a XSS vulnerability that has been sitting there for months now,
nobody took it over and
updated it to work with the current versions (
https://github.com/geoserver/geoserver/pull/466)
Of course the patch itself cannot be merged, 2.1.x has been unmaintaned for
years, but taking
it over also means starting a discussion about adding new dependencies to
geoserver and the like...
When I see people talking so casually about the open source developers
taking over this work
in a timely fashion I would like them to have them spend some weekends with
me as I go
though bug reports and pull requests instead of getting out and relax a
bit...
Cheers
Andrea
--
==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
