Date: Sun, 25 Jun 2006 14:23:35 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Alexander Leidinger <Alexander@Leidinger.net> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org, secteam@freebsd.org Subject: Re: cvs commit: src/sys/compat/linux linux_misc.c Message-ID: <20060625141943.X82242@fledge.watson.org> In-Reply-To: <20060625142745.my6cnc4yog0kcggc@netchild.homeip.net> References: <200606231849.k5NIncuF041890@repoman.freebsd.org> <20060623214521.7b1441a6@Magellan.Leidinger.net> <20060625002255.F8526@fledge.watson.org> <20060625142745.my6cnc4yog0kcggc@netchild.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 25 Jun 2006, Alexander Leidinger wrote: > Quoting Robert Watson <rwatson@freebsd.org> (from Sun, 25 Jun 2006 00:32:54 > +0100 (BST)): > >> This isn't just not a huge security flaw, it's not a security flaw at all. >> It is a reliability bug due to a mis-implemented API that results in a >> clean failure in the presence of a well-characterized case. It doesn't >> appear to be exploitable to gain privilege, deny service rmeotely, etc. >> If this is a critical stability fix, it should be treated as an errata >> patch candidate. In the future, please don't use the "Security" tag for >> this type of change. However, do feel free to e-mail re@ to talk about >> whether this is an errata patch candidate, keeping secteam@ in the loop, as >> they currently own the 6.1 branch. > > I didn't know what to use instead to mark up an important fix to the people > which own the branch. Do you think it is worth to add ... maybe "Errata > candidate:" to the commit template to draw attention to something very > early? I'm not sure there currently is a formal tag for that. In the past, I've simply noted something like the following: RELENG_6_0 merge candidate. I think the general model for errata candidates is that the process is driven by the developer who believes that they have a change that reqiures an errata note, rather than by the branch owners. In particular, once there's been adequate testing time, the onus is on the developer to e-mail re@ (with a CC to secteam@) to discuss whether it's an appropriate candidate patch or not, at which point the right direction can be determined. BTW, if the Oracle used to work and now doesn't (i.e., a regression), then it may well be that this is a good errata patch candidate. However, if it has never worked, then I'm not sure it is a good errata patch candidate, and waiting on 6.2 may be the preferred model. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060625141943.X82242>