On Wed, May 02, 2007 at 07:39:06AM +0200, [EMAIL PROTECTED] wrote: > On Tue, 1 May 2007, Patrick R. Michaud wrote: > > >On Tue, May 01, 2007 at 09:59:45PM +0200, [EMAIL PROTECTED] > >wrote: > >> > >>PS. Regarding security issues (as with Zap for instance), would it make > >>sense to have a list for those kinds of announcements? > > > >We have pmwiki-announce for that. > > That's a public list, isn't it? So the vulnerability is publicly > announced - I thought some people would object to this?
In general it's considered good etiquette to contact a package's maintainers privately about potential vulnerabilities before making a public announcement. This is intended to give the maintainers an opportunity to determine if the vulnerability actually exists in fact, evaluate the potential ramifications, and to come up with mitigation strategies before it's widely known among people who might exploit it. > Hmm.. what about this problem with Zap (or recipes in general) > - is that something to announce? It's already been announced on pmwiki-users -- I'm leaving it to others to decide if a message should also go to pmwiki-announce. Anytime someone wants to make an announcement, security-related or otherwise, it can be posted to <[EMAIL PROTECTED]>. That's a moderated list, but I'll generally approve the post unless it's really off-topic for that list. Pm _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
