On Wed, 22 Sep 2010 10:14:57 -0500 George Kasica <george_kas...@mgic.com> wrote:
> Tomaz: > > Typical issues as in the past...first no clue it was coming out(no > release candidate no announcement)...it just appeared, no idea it > would have issues with bzip2 There is a problem with security updates and release candidates (or announcements): - we can release only after the vulnerability is disclosed (in case of 3rdparty libraries) - we were watching upstream bzip2 to release, and released soon after that, we didn't have a reliable release date in advance - we could have told you that we are preparing a new version to fix the bzip2 vulnerability, but we couldn't release an RC with the bzip2 fix included (since that would've disclosed the vulnerability prior to upstream having a fix) - even if we were able to provide an RC, it would have told you that your bzip2 is buggy and you need to upgrade. That would have caused even more confusion, since there was no new upstream bzip2 version with the fix. Considering all this, do you think it would be useful to provide advance warning about a new security fix release in the future? Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
