I'm willing to hold off on releasing our own security alert, and even perhaps
waiting until 0 Day to release an updated version of the software. What
I'm *not* willing to do, is to stop using our source code repository the way
it was intended because some tinfoil-hat thinks that someone's going
On 05/05/11 12:46, IGnatius T Foobar wrote:
I'm willing to hold off on releasing our own security alert, and even perhaps
waiting until 0 Day to release an updated version of the software. What
I'm *not* willing to do, is to stop using our source code repository the way
it was intended because
You know what, I am not really interested in working with people who feel
the need to tell me exactly what they want me to do, so it's ok. I would
much rather accept security alerts from people who do it the normal way.
oops. gotta fix that.
We're going to hold off on any releases for now, though. The guy chose some
weird non-standard disclosure method and then got his panties in a bunch when
I misunderstood it. Normally a coordinated disclosure means that everyone's
got a patched version available for
well, you can commit, you just mustn't push until the disclosure date.
I think that method is stupid and I'm not going to follow it. In the real
world, coordinated public disclosures include an advisory that says upgrade
to version x.yy in order to protect your server against this vulnerability.
Thanks for ignoring what it means to do a coordinated release between
different products and vendors... I guess that was the first and last advanced
notice for citadel, at least from my side.
You were expecting something different? 100% of the security advisories
to which we have
