On 7/5/16 10:43 PM, Aaron Bauman wrote: > > That CVE request was not from Ago. It was from the respective OSS ML > referenced in the URL field of the bug report. Not to mention, you as a > maintainer were able to discover another issue with that package and fix > it. >
You never bothered to follow that OSS ML link. For others reading this email, here is the link: http://www.openwall.com/lists/oss-security/2013/02/24/5 Here's a copy of that entire email: <email> Date: Sun, 24 Feb 2013 20:00:57 +0100 From: Agostino Sarubbo <a...@...too.org> To: oss-secur...@...ts.openwall.com Subject: CVE request: monkeyd world-readable logdir Monkeyd, a small, fast, and scalable web server, produces, at least on gentoo a world-readable log. # ls /var/log/monkeyd/master.log -la -rw-r--r-- 1 root root 0 Feb 24 19:56 /var/log/monkeyd/master.log Upstream site: http://www.monkey-project.com/ -- Agostino Sarubbo Gentoo Linux Developer </email> That is what you p.masked on. That's it. Neither you nor Ago really understood the issue with monkeyd's logging. There were no followup emails and no CVE was assigned. Its junk. By both initiating and following through on such low quality bugs, you are damaging the reputation of the security project. >> I personally would like to see only QA oversee any forced p.maskings and >> have the security team pass that task over to QA for review. By forced >> I mean without the cooperation of the maintainer. >> > > Again, no one else has had an issue with this except you. The one who > doesn't want to cooperate. Having people review your work is a good idea, no? So in cases where security wants to touch a packages, why not ping the maintainer first and in case of a dispute or no response, escalate the issue to QA who will review the problem and act. Are you okay with this change in procedure? -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197
