Simon Phipps wrote: > In my view all that's gone wrong this time is that the CVE was not > listed in the release announcement. That should probably be fixed > next time. > Hi Simon, all,
well - it's not that easy. The rationale to act as we did was this: We wanted to release 3.4.6 as early as possible, announce it - and in the announcement hint at the fact that this version includes security fixes. Lifting embargoes on CVEs is customarily left to other entities rather than downstream consumers - at any rate, giving users the time to upgrade, before such a thing goes widely public with all the details, is just responsible IMO. So what we did, and will do in the future, is release a version, mention security fixes in a rather generic way (if there are any), and after our users had time to upgrade, follow-up with more details (see e.g. http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/ for how we handled that for 3.4.3) Cheers, -- Thorsten -- Unsubscribe instructions: E-mail to discuss+h...@documentfoundation.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.documentfoundation.org/www/discuss/ All messages sent to this list will be publicly archived and cannot be deleted
