-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Moritz,
on 8/6/05 11:07 PM Moritz Muehlenhoff said the following: | Plus a disturbing constant flow of security vulnerabilities; eight alone for | 2005. Do they have a clear policy of documenting issues or do they only | provide new releases without documenting the vulnerabilities? (This would | make support for a stable release close to impossible). Fair question, from a discussion on their dev mailing list [1,2]: - ------ Security issues are documented in both our NEWS file (aka ChangeLog) and announced publically after the fix has been committed. Any other way would really be bad for any end-users as we do not want them to be unaware of outstanding bugs in old releases. Of course, this is already much, and we"re very sorry about this. But if you look at the security trackers you will see that many, many web-applications have had similar bugs in 2005. This seems to be the year of many people testing XSS. Look at WordPress, they have had similar problems. But we take our security problems serious, and for errors that come to our attention we have provided fixes in less than 12 hours in the past. - ------ They also have a security section on their blog [3] with an RSS feed I can subscribe to. In addition, they maintain a stable branch in their svn tree [4], which just gets bug & security fixes. So identifying relevant security patches should be quite trivial as I can pick them from this branch rather than trying to find them from within the trunk. I hope this is somewhat reassuring. Cheers Penny 1: http://sourceforge.net/mailarchive/forum.php?thread_id=7468268&forum_id=31275 2: http://sourceforge.net/mailarchive/forum.php?thread_id=7473550&forum_id=31275 3: http://blog.s9y.9rg/ 4: http://svn.berlios.de/viewcvs/serendipity/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCr1pcGHUSCqMOwisRAniXAJ9bPz4AquLHKK3bF+HNV5IksX4FjQCcCIcQ JCuYaIGGkvrAq4bHIj23BPE= =p3ab -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
