2007/3/16, Kian Mohageri <[EMAIL PROTECTED]>:
Yeah.  Expectations aside, being condescending is never warranted.  Both
Karl and Martin did just that.  They could have asked if there was a reason
it wasn't sent to security-announce@ instead of misc@, rather than saying
"This is terrible handling of a bug" after it was fixed almost immediately.

It _was_ fixed quite fast; the released patch took another 10 days
(granted, waiting for PoC is understandable). What was lacking is what
Core critised: This was not seen as a security problem right along,
instead it took a PoC _exploit_ before we all got a warning by Theo,
and even that warning was _not_ on the designated channel
(security-announce).

I've said it before: security-announce is broken. Either fix it
(shouldn't really be too hard and takes less time than reading this
thread) or delete it and point to source-changes instead.

I'm annoyed that the handling let to many negative press for the
project. We can do better. But Theo seems to think everything is fine.

Best
  Martin

Reply via email to