Hi Gil, On Mon, May 27, 2019 at 1:41 AM Gil Tene <[email protected]> wrote:
> Seriously? > > You see factual reporting (directly documented and dated in the original > posting) of the actual version numbers being used by official docker > images, along with irrefutable proof that the packages used in those were > built weeks before the respective OpenJDK 8u and 11u releases were > complete, as “fake news”? > > You think that alerting millions of unsuspecting people using exposed, > insecure builds that falsely report their OpenJDK version (as one that > includes e.g. critical security fixes) to the fact as “marketing”? > > Did you try to contact Debian folks to give them opportunity to fix those security concerns before going public with them? Or did they not react in time? Cheers, Thomas
