Simon Phipps wrote:
In my view all that's gone wrong this time is that the CVE was not
listed in the release announcement. That should probably be fixed
next time.
Hi Simon, all,
well - it's not that easy. The rationale to act as we did was this:
We wanted to release 3.4.6 as early as possible, announce it - and
in the announcement hint at the fact that this version includes
security fixes.
Lifting embargoes on CVEs is customarily left to other entities
rather than downstream consumers - at any rate, giving users the
time to upgrade, before such a thing goes widely public with all the
details, is just responsible IMO.
So what we did, and will do in the future, is release a version,
mention security fixes in a rather generic way (if there are any),
and after our users had time to upgrade, follow-up with more details
(see e.g.
http://blog.documentfoundation.org/2011/10/05/the-document-foundation-publishes-details-of-libreoffice-3-4-3-security-fixes/
for how we handled that for 3.4.3)
Cheers,
-- Thorsten
--
Unsubscribe instructions: E-mail to discuss+help@documentfoundation.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.documentfoundation.org/www/discuss/
All messages sent to this list will be publicly archived and cannot be deleted
Context
Privacy Policy |
Impressum (Legal Info) |
Copyright information: Unless otherwise specified, all text and images
on this website are licensed under the
Creative Commons Attribution-Share Alike 3.0 License.
This does not include the source code of LibreOffice, which is
licensed under the Mozilla Public License (
MPLv2).
"LibreOffice" and "The Document Foundation" are
registered trademarks of their corresponding registered owners or are
in actual use as trademarks in one or more countries. Their respective
logos and icons are also subject to international copyright laws. Use
thereof is explained in our
trademark policy.