dfoxfra...@gmail.com said: > I'm on the fence as to whether this bug is bad enough to merit tagging a > release right away. Both NTP.org and the Redhat folks who discovered the bug > are downplaying it, but I'm leaning toward yes given that even *legitimate* > leap seconds have a long history of creating ops havoc, so a bogus one could > be especially insidious.
I think as a general policy we should push the release button whenever we fix a security bug. That just pushes the problem to "what is a security bug?" I'd say two reasons. One is an obvious security bug. The other is anything with a CVE number or equivalent listing on some respected bug tracking database. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
