On 2021-04-22 07:14, Adam Dinwoodie wrote:
I've just been informed off-list that there's a Cygwin-specific
security vulnerability in one of the packages I maintain. I'm
reluctant to go into details on a public list, but I'd also appreciate
some support in the best way to manage this to get patches out without
exposing package users to unnecessary security risk.
I'm already working with the upstream to find an appropriate patch,
and I think I have at least a reasonable handle on best practices for
releasing this sort of patch, but I'd appreciate being able to talk
over the specifics with someone (singular or plural) with more
experience of handling this sort of situation.
Is there any way I can get that sort of support from the maintainer community?
Might want to repeat this on the cygwin-developers list.
Andrew Schulman recently released a security update to stunnel and has in the
past, and some of the RedHatters may have experience: CV, YS, EB, JJ.
DM in this case is necessary and likely acceptable.
Avoid any J. Random Hacker who replies as being interested to help.
In general, trust only those whose keys you'd sign with ultimate trust. ;^>
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in binary units and prefixes, physical quantities in SI.]
