[Zope-dev] RE: Resolved security-related
collector issues forthepublic?
Richard Waid
richard at iopen.net
Thu Jan 22 16:37:56 EST 2004
Paul Winkler wrote:
> On Fri, Jan 23, 2004 at 09:45:43AM +1300, Richard Waid wrote:
>>How about something along the lines of:
>>
>>- Development team only disclosure for the first x days (2 to 7 days is
>>the maximum here I would think), in order to develop a workaround/patch.
>>
>>- Full disclosure after that, along with a published patch, hotfix or
>>workaround.
>
> OK, but what if there is no patch, hotfix, or workaround ready
> after 2-7 days? Some of these bugs have taken much longer.
I think we need to be looking at _why_ the bugs have taken much longer.
Is it strictly lack of resources? Security fixes, generally, shouldn't
come in batches of 10 (or whatever) because, even if they're related, it
makes testing the
critical-security-patch-that-needs-to-be-applied-right-now extremely
difficult for almost everyone.
--Richard
More information about the Zope-Dev
mailing list