On 10 October 2012 14:02, Konstantin Tokarev <annu...@yandex.ru> wrote: > > > 09.10.2012, 20:59, "Richard Moore" <r...@kde.org>: >> On 9 October 2012 09:21, Marc Mutz <marc.m...@kdab.com> wrote: >> >>> Hi Rich, >>> >>> Thanks for taking the time to write this up. I have but one question: >>> >>> On Monday October 8 2012, Richard Moore wrote: >>>> * Where possible packagers should be informed directly of which SHA1s >>>> they >>>> should cherry pick in order to get a security fix. >>> What process do you recommend to prevent the Gerrit review of the patch (a >>> necessary precondition for obtaining a final SHA1 of the commit) from >>> (prematurely) disclosing the vulnerability? >> >> That's a real problem I agree. There's some discussion on the topic here: >> https://bugs.launchpad.net/openstack-ci/+bug/902052 > > Launchpad is certainly wrong place to discuss this topic. It should be > submitted as feature request to Gerrit.
It was discussed with the Gerrit people, there's a response from them in the comments where they discuss how they handle the same issue for security holes in gerrit itself. Short version is that they have a second private gerrit instance for this. Cheers Rich. _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
