Re: [SECURITY] [DSA-2115-2] New moodle packages fix several vulnerabilities

[Michael Gilbert <michael.s.gilbert@gmail.com>]

On Mon, 11 Oct 2010 10:39:37 -0500, Jordon Bedwell wrote:
> On Mon, 2010-10-11 at 11:15 -0400, Michael Gilbert wrote:
> > I highly doubt that there is anything malicious going on here, and there
> > is always the "Debian does not hide problems" mantra.  The simplest,
> > and most-likely explanation is that it was easier to update to the new
> > upstream, rather than attempt to backport fixes for 11 separate issues.
> 
> Why assume somebody meant something malicious? I implied, that perhaps
> there were smaller security upgrades which would have justified a
> version jump... Really guy.

If there are smaller known security issues that were fixed in the
upload but not mentioned in the DSA, which there aren't, then that
would be a case of hiding problems.  The implication there would be
that security team members are intentionally hiding info about issues,
which they aren't.  However, if that were happening, the only way to
interpret that would be as malicious.

> The serious problem with you assuming I implied that something malicious
> is going on is the fact that we can pull the source that he uploaded to
> Debian directly from Debian and view it.

OK, so do that before making an unfounded claim that there is more to
the issue than you're being told.

Best wishes,
Mike