tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <>
Subject Re: Proposed new security pages
Date Wed, 21 Feb 2007 00:56:18 GMT
Yoav Shapira wrote:
> Hi,
> On 2/20/07, Filip Hanik - Dev Lists <> wrote:
>> sounds good, as long as we don't publish vulnerabilities until they are
>> indeed fix and the release has been voted stable
> Agreed except the "stable" part.  When the vulnerabilities have been
> fixed in any release, including alpha / beta, they can be made public.
> If the security issue is urgent there's likely to be a release with
> nothing (or very little) except the security fix anyways.  Those who
> need to upgrade urgently can do so.
And I don't see the reasoning in that. You can safely assume that most 
corporations will only put a "stable" version in their production 
So lets say that there is a security vulnerability that has been fixed 
in x.y.(z+1) version, but that version also has some serious issues 
qualifying it as a alpha.
The consequence of this is that you are "advertising" a security 
vulnerability to the world, and you are leaving your users with either 
continue running a stable version that everyone knows how to exploit or 
to upgrade to a non stable version.

Doesn't sound like a fair choice, does it?

> Yoav
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message