Frank Hecker wrote: > Stuart Ballard wrote: > >> Can we make it formal policy that a bug which *did not exist* in any >> previous milestone can never be "security-sensitive"? That is, if a bug >> is reported between 0.9.7 and 0.9.8, and it turns out that 0.9.7 is not >> affected by this bug, then the bug should be kept public. >> >> My logic is that in this situation, no (reputable) distributor will ever >> have made a release containing the bug, so the legitimate argument for >> confidentiality disappears. > > > > Interesting point. This is certainly something that I would expect the > security module owner, peers, and the rest of the security bug group to > take into account. Whether it should be part of the overall policy or > not is a good question. (I agree that a distributor wouldn't typically > use a non-milestone release as a base, but I can't necessarily > absolutely rule it out.)
I like that too. Personally, I'd like to see it in the policy. If nothing else it's a great example of the kind of security-related bug that can be released into the wild without a time delay. --Chris -- ------------ Christopher Blizzard http://people.redhat.com/blizzard/ Mozilla.org - we're on a mission from God. Still. ------------
