pre-notification dilemmas: daniel.haxx.se/blog/2023/03/29… - I will not tell the distros mailing list about pending #curl security vulnerabilities anymore. As requested.
@moanos it just means they don't tell anyone about the issue until the planned announcement date. And no, there is no (good) reason why they cannot just grant us this - if you ask me anyway.
That's too bad. You have been a very regular poster there with high quality reports. I've been on the list for a while, and while I appreciate all the work solar designer does for the community there (and why he doesn't want to extend embargoes) it's clear that the way it is run doesn't work for a lot of projects. Maybe it's time for an alternative.
@swars clearly something is wrong when neither curl, Firefox or the Linux kernel (can) post about their vulnerabilities there... But I'm not the one to tell what the alternative should be.
I agree. An alternative could be a list like distros, but with no (or very lax) ground rules, where the reporters specify the rules for the embargoes. Don't know if this would work out, as this also has quite some potential for problems, but it might be worth a try.
networkException
in reply to daniel:// stenberg:// • • •Moanos
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Moanos • • •Mike Connor
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Mike Connor • • •Frederik Braun �
in reply to daniel:// stenberg:// • • •Mozilla Security Group Membership Policy
Mozillafaker
in reply to daniel:// stenberg:// • • •I think that "they" in that sentence shouldn't be there
> this is an exception and they their policy says this is not acceptable for embargos.
Johannes
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Johannes • • •Johannes
in reply to daniel:// stenberg:// • • •