On 9 October 2012 09:21, Marc Mutz <marc.m...@kdab.com> wrote: > Hi Rich, > > Thanks for taking the time to write this up. I have but one question: > > On Monday October 8 2012, Richard Moore wrote: >> * Where possible packagers should be informed directly of which SHA1s they >> should cherry pick in order to get a security fix. > > What process do you recommend to prevent the Gerrit review of the patch (a > necessary precondition for obtaining a final SHA1 of the commit) from > (prematurely) disclosing the vulnerability?
That's a real problem I agree. There's some discussion on the topic here: https://bugs.launchpad.net/openstack-ci/+bug/902052 One option I suspect is for us to prepare the fix and review it outside of gerrit, so that we have it ready to go rapidly once we disclose. This would allow distros etc. to performing testing via the private notification list before it enters the main gerrit. Cheers Rich. _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development