This is the mail archive of the
mailing list for the Cygwin project.
Re: HEADSUP: Security updates outstanding
-----BEGIN PGP SIGNED MESSAGE-----
Christopher Faylor wrote:
> I hate to suggest another mailing list but I wonder if we should have
> another unarchived, closed list for discussing security issues. The
> recent setup.exe problem got me thinking that we might need something
> like this.
> I'm not suggesting that this email was inappropriate since these are all
> known issues but maybe another mailing list might help focus on
> important security issues.
> Or should we just use this list and not worry about it?
The major problem that we have with security is that we don't have a
person/team which has advance notice of security issues like the Linux
distros have, and I have no idea how to go about changing that. Right
now I have to wait for the issues to be public in order to know about them.
If we can set up a "security team" from the core group of maintainers
and start getting advance notices, then we definitely will need a way of
communicating in private. I would agree to such a list for the
"security team" only, but I would suggest it be used in tandem with
"closed" Bugzilla entries. This would allow including a maintainer on a
per-issue basis, and once the issue is public, the bug could then be opened.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----