Alvin Oga wrote: > ... >>shorewall has been trying for weeks to get a DSA issued about a >>vulnerability, and it seems we have to convince Joey that it *is* a >>vulnerability before he'll issue it. (I don't understand this - how can >>Joey even *try* to understand every security bug?) Repeated attempts to >>communicate this have been met with silence. > > > if the originating authors thought xx was a security problem, > they'd fix it We did, and issued new stable versions in three different stable branches. And put news on the web page. And notified all of our users. And notified the developers who work on the distribution packages. And worked with the Debian maintainer to get the Debian security team informed about it. > i doubt security problems is fixed by 3rd parties and released as > patches to the original w/o saying it is a 3rd party patch vs > fixed at the originating source What makes you think that this didn't occur? > joey and crew can't possibly examine, review, fix, verify all bugs > no matter how good of an expert security coder they were My point exactly. Which is why i can't understand why he'd even bother to question whether there was a vulnerability. -- Paul <http://paulgear.webhop.net> -- Did you know? Email addresses can be forged easily. This message is signed with GNU Privacy Guard <http://www.gnupg.org> and Enigmail <http://enigmail.mozdev.org> so you can be sure it comes from me.
Attachment:
signature.asc
Description: OpenPGP digital signature