On 15-03-04 07:46 AM, Kathy Lussier wrote: > I really think we need to increase the transparency of these bugs > without compromising the security of our systems in the process. Any > site running Evergreen in a production environment should have a right > to know when a known security bugs affects their system, especially > when it comes to those bugs that have been left unresolved for many > months. Maybe we could allow one trusted person from each site > subscribe to security bugs or maybe there are other methods for > sharing this information for Evergreen sites.
Thanks for raising this, Kathy. It's been on my mind as well. For Sitka, it would certainly be helpful to have more awareness of issues that are known to the security team. In our case, we'd be very willing to devote some resources to help resolve security issues more quickly, by writing code or by testing/signing off on fixes prior to release. That might be helpful if there is a backlog of security issues that have been reported but not resolved. But not all production Evergreen sites necessarily have the resources to contribute in those ways. And thanks very much to everyone involved in getting those fixes out! -- Jeff Davis Lead Evergreen Specialist BC Libraries Cooperative
