Re: Is Debian affected by the recent MySQL sql/password.c flow?
On Tue, Jun 12, 2012 at 2:11 AM, Thomas Goirand <email@example.com> wrote:
> On 06/12/2012 01:52 AM, Aron Xu wrote:
>> IMHO I suggest to talk with Security Team before disclosing
>> information that might be sensitive in the mean time on a Debian
>> development mailing list.
> Could you explain to me what exactly I'm disclosing?
> The news is already on slashdot and so on, and I think
> it'd be better to know, as hackers will.
I'm not saying you are disclosing anything, but you are asking if
someone knows it's in what status publicly in a Debian development
mailing list. Then this may lead to some disclosing and even mislead
some other people. Yes there are many people doing tests just like
you, and they are reporting their results in many ways they prefer.
But as you are a DD you'd better not ignore our Security Team when
starting discussion publicly about a security incident your are not
sure whether it's relevant to Debian. People at Security Team are not
only responsible for fixing things when it breaks out, but also make
sure sensitive information is being disclosed in a correct form at a
correct time. In the end, I believe talking with them beforehand is
always a right way to do, no matter if Debian is affected by this