HEADSUP: Security updates outstanding

Yaakov (Cygwin Ports) yselkowitz@users.sourceforge.net
Mon Aug 18 02:42:00 GMT 2008

Hash: SHA256

Christopher Faylor wrote:
> I hate to suggest another mailing list but I wonder if we should have
> another unarchived, closed list for discussing security issues.  The
> recent setup.exe problem got me thinking that we might need something
> like this.
> I'm not suggesting that this email was inappropriate since these are all
> known issues but maybe another mailing list might help focus on
> important security issues.
> Or should we just use this list and not worry about it?

The major problem that we have with security is that we don't have a
person/team which has advance notice of security issues like the Linux
distros have, and I have no idea how to go about changing that.  Right
now I have to wait for the issues to be public in order to know about them.

If we can set up a "security team" from the core group of maintainers
and start getting advance notices, then we definitely will need a way of
communicating in private.  I would agree to such a list for the
"security team" only, but I would suggest it be used in tandem with
"closed" Bugzilla entries.  This would allow including a maintainer on a
per-issue basis, and once the issue is public, the bug could then be opened.

Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Cygwin-apps mailing list