2007/3/16, Kian Mohageri <[EMAIL PROTECTED]>:
Yeah. Expectations aside, being condescending is never warranted. Both Karl and Martin did just that. They could have asked if there was a reason it wasn't sent to security-announce@ instead of misc@, rather than saying "This is terrible handling of a bug" after it was fixed almost immediately.
It _was_ fixed quite fast; the released patch took another 10 days (granted, waiting for PoC is understandable). What was lacking is what Core critised: This was not seen as a security problem right along, instead it took a PoC _exploit_ before we all got a warning by Theo, and even that warning was _not_ on the designated channel (security-announce). I've said it before: security-announce is broken. Either fix it (shouldn't really be too hard and takes less time than reading this thread) or delete it and point to source-changes instead. I'm annoyed that the handling let to many negative press for the project. We can do better. But Theo seems to think everything is fine. Best Martin