Thanks for bringing this up Kathy. I'll +1 everything you've said so
far. Like Jeff/Sitka, MOBIUS would be willing to commit resources to
creating patches/signoffs for these highly critical issues.
Justin
On 3/4/15 12:42 PM, Jeff Davis wrote:
On 15-03-04 07:46 AM, Kathy Lussier wrote:
I really think we need to increase the transparency of these bugs
without compromising the security of our systems in the process. Any
site running Evergreen in a production environment should have a right
to know when a known security bugs affects their system, especially
when it comes to those bugs that have been left unresolved for many
months. Maybe we could allow one trusted person from each site
subscribe to security bugs or maybe there are other methods for
sharing this information for Evergreen sites.
Thanks for raising this, Kathy. It's been on my mind as well. For
Sitka, it would certainly be helpful to have more awareness of issues
that are known to the security team. In our case, we'd be very
willing to devote some resources to help resolve security issues more
quickly, by writing code or by testing/signing off on fixes prior to
release. That might be helpful if there is a backlog of security
issues that have been reported but not resolved. But not all
production Evergreen sites necessarily have the resources to
contribute in those ways.
And thanks very much to everyone involved in getting those fixes out!
