From owner-cvs-all Fri Jan 17 16:16:38 2003 Delivered-To: cvs-all@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F001637B401 for ; Fri, 17 Jan 2003 16:16:33 -0800 (PST) Received: from mail.speakeasy.net (mail15.speakeasy.net [216.254.0.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1D1A43F18 for ; Fri, 17 Jan 2003 16:16:30 -0800 (PST) (envelope-from jhb@FreeBSD.org) Received: (qmail 13557 invoked from network); 18 Jan 2003 00:16:39 -0000 Received: from unknown (HELO server.baldwin.cx) ([216.27.160.63]) (envelope-sender ) by mail15.speakeasy.net (qmail-ldap-1.03) with DES-CBC3-SHA encrypted SMTP for ; 18 Jan 2003 00:16:39 -0000 Received: from laptop.baldwin.cx (gw1.twc.weather.com [216.133.140.1]) by server.baldwin.cx (8.12.6/8.12.6) with ESMTP id h0I0GSUT019828; Fri, 17 Jan 2003 19:16:28 -0500 (EST) (envelope-from jhb@FreeBSD.org) Message-ID: X-Mailer: XFMail 1.5.2 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <20030117155605.A4640@FreeBSD.org> Date: Fri, 17 Jan 2003 19:16:28 -0500 (EST) From: John Baldwin To: Juli Mallett Subject: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lo Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org, Martin Blapp , Nate Lawson , Gregory Sutter , Alfred Perlstein , "Bruce A. Mah" Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 17-Jan-2003 Juli Mallett wrote: > * De: "Bruce A. Mah" [ Data: 2003-01-17 ] > [ Subjecte: Re: cvs commit: src/usr.sbin/mountd mountd.c src/usr.sbin/rpc.lockd lockd.c > src/usr.sbin/rpc.statd statd.c src/usr.sbin/rpc.yppasswdd yppasswdd_main.c src/usr.sbin/rpcbind > rpcb_svc_ >> If memory serves me right, Alfred Perlstein wrote: >> > * Gregory Sutter [030117 14:09] wrote: >> > > >> > > Ah, right. An immediate message to developers and later forced >> > > commit. Somehow I misread that the first time such that both the >> > > message and the forced commit would come only after the public >> > > release of security information. Sorry. >> > > >> > > What do you think of codifying the situation in the Committer's Guide? >> > >> > I think it's a great idea, when will you be done? :) >> >> It sounds to me like you (pl.) are advocating early disclosure of >> security vulnerability information to a set of several hundred people, >> at a time when generally, only a handful of people have need-to-know. >> >> (In case it's not clear, this idea scares me greatly.) > > We just need to know that there *is* a security-related aspect to what > has been committed, and that we should await further info. No, that gives you a reason to possibly go look at it to try and figure out what the fixed bug was. Instead, you just need to trust that during a release freeze the folks on re@ are not a bunch of boneheads and if that they sign off on something, they have a good reason for it. The so@ folks don't tell developers@ everytime they learn of a vulnerability, so I don't see why we need a different rule for quick MFC's during a release freeze. -- John Baldwin <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message