Juju needs security contacts
Clint Byrum
clint at ubuntu.com
Mon Aug 27 17:29:29 UTC 2012
Excerpts from Gustavo Niemeyer's message of 2012-08-27 08:18:44 -0700:
> Thanks for pushing this forward Clint.
>
> On Thu, Aug 23, 2012 at 10:26 PM, Clint Byrum <clint at ubuntu.com> wrote:
> > * Commit fixes to public branches and send notifications about security fix.
>
> When we do face a significant threat, publishing to a public branch at
> the announcement time isn't enough. People should actually have a good
> path to make use of the fix. Secrecy isn't worth much if the bad guys
> can still make use of the problem significantly earlier than people
> have a chance to fix it.
Right, this is the reason for the coordinated release pattern.
That said, I do see that commit is not enough, but actual patch releases
of the software must be made at the same time the commits are pushed.
More information about the Juju
mailing list