From owner-cvs-all  Fri Jan 17 14: 2:56 2003
Delivered-To: cvs-all@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 931)
	id 91AF337B407; Fri, 17 Jan 2003 14:02:54 -0800 (PST)
Date: Fri, 17 Jan 2003 14:02:54 -0800
From: Juli Mallett <jmallett@FreeBSD.org>
To: Gregory Sutter <gsutter@zer0.org>
Cc: Alfred Perlstein <bright@mu.org>, Nate Lawson <nate@root.org>,
	Martin Blapp <mb@imp.ch>, cvs-all@FreeBSD.org,
	cvs-committers@FreeBSD.org
Subject: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind rpcb_svc_com
Message-ID: <20030117140254.A96500@FreeBSD.org>
References: <20030116185752.L98919@levais.imp.ch> <Pine.BSF.4.21.0301161015050.46845-100000@root.org> <20030116185115.GQ33821@elvis.mu.org> <20030117215606.GA29071@klapaucius.zer0.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20030117215606.GA29071@klapaucius.zer0.org>; from gsutter@zer0.org on Fri, Jan 17, 2003 at 01:56:06PM -0800
Organisation: The FreeBSD Project <http://FreeBSD.org>
X-Alternate-Addresses: <jmallett@NewGold.NET>, <jmallett@xMach.org>, <juli@jerkcity.com>, <flata@toxic.magnesium.net>, <jmallett@OpenDarwin.org>
X-Towel: Yes
X-LiveJournal: flata, jmallett
X-Negacore: Yes
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

* De: Gregory Sutter <gsutter@zer0.org> [ Data: 2003-01-17 ]
	[ Subjecte: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind rpcb_svc_
> On 2003-01-16 10:51 -0800, Alfred Perlstein <bright@mu.org> wrote:
> > In the light of the security issues here and request for silence
> > about the issue, perhaps we can post a followup to -developers after
> > such a commit and at a later date follow up with a forced commit
> > when things are "safe" to completely explain the issue.
> 
> That is excellent advice on a subject that has come up before and
> surely will again.  Perhaps it should be codified in the Committers'
> Guide?
> 
> The only change I'll suggest is that the followup be sent to
> cvs-committers and cvs-all instead of developers; more than just
> those with CVS privileges follow the commit logs, and I'm sure all
> will be interested in reading the commit logs and followup messages
> so they can better judge their systems' vulnerability.

They will find out when the forced commit happens, in such a scenario.
If the vulnerability cannot be disclosed immediately, then other developers
should probably be made aware that there *IS* one, and that information
is comign, at the very least.  Otherwise, keeping it quiet can be good.
-- 
Juli Mallett <jmallett@FreeBSD.org>
AIM: BSDFlata -- IRC: juli on EFnet.
OpenDarwin, Mono, FreeBSD Developer.
ircd-hybrid Developer, EFnet addict.
FreeBSD on MIPS-Anything on FreeBSD.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message