Re: qpopper [was: what's up with security?]
On Sun, May 28, 2000 at 04:03:53AM +0200, Othmar Pasteka wrote:
> On Thu, May 25, 2000 at 02:55:36PM +0200, Miquel van Smoorenburg wrote:
> > > sigh, i should really archive more mail myself (old habit from disk
> > > impaired days) i don't have an exact pointer, however the message
> > > was sent yesterday (5-24) so its possible its not in the bugtraq
> > > archives. the maintainers of qpopper posted a message saying
> > > essentially `upgrade to 3.0, 2.53 is buggy'
> > Right. I'll upload the fixed version in a few minutes.
> nice to know ... but WHERE is the security announcement mail? i
Exactly where it should be. Nowhere.
> don't see any, and this is bad. how should someone (a guy using debian
> and qpopper) reading bugtraq know that 2.53-debian is fixed, when there
How would the same person know that security related fixes had been made to
Mandrake 7.1b3 (for example)? Do you see any distributions providing
security fixes for beta releases of their distribution?
> is no annoucement but silently discussed on some -devel mailinglist and
> installed into the archive??
As it should be. unstable == alpha; frozen == beta. Neither have been
If the security flaw exists in a released version of Debian then
we should be telling the world of our fix - otherwise they don't
need to know.