On 10/27/05, Shie Erlich <
shie....@gmail.com> wrote:
> since we're so close to releasing 1.70.0, i won't release 1.60.1.
> the security risk is not major anyway.
>
I agree that releasing 1.60.1 is maybe overkill but we need to provide
at least a security patch for 1.60.0 as a download,
since 1.60.0 will be used for several years.
Also by removing 1.60.0 as a download and replace it by 1.60.1 is much
more secure, so long 1.60.0 is available for downlad it will be downloaded,
and some people would not be aware of the security patch.
Usually it will take about 1 year before 1.70.0 will be used by
serveral distro's,
and if you take a lifetime of 5 years, it means that 1.70.0 will be used
somewhere in the world for about 6 years.
Btw. on an old computer i have krusader-1.30 :-)
Also we need to think howto deal with security holes,
maybe some day we will find a major security hole,
when we have a *security hole warning plan*
we can respond much more faster.
On 10/28/05, Richard/g <
richar...@gmail.com> wrote:
> i think it would be correct to replace 1.60.0 with 1.60.1 and remove
> 1.60.0. There are still lots of people using and downloading
> 1.60.0, I think. At least there are lots of distros using it.
>
> Kanotix will probably soon be releasing a new version with 1.60.0-2,
> from Debian.
>
> Richard.
>
Debian sid (unstable) is already using 1.60.0-3, Kanotix is a bit behind
btw. 1.60.0-3 does not contain a patch for this issue, it was released
at 2005-09-12.
I have sended a bug report to the Debian Bugtracker system:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=336169
http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=krusader
So 1.60.0-4 or 1.70.0-1 will solve this issue.
Actually we need todo this for several disto's
http://distrowatch.com/search.php?pkg=krusader&pkgver=1.60.0#pkgsearch
Also i think we need to send a message + patch to the krusader-news mailinglist,
it's also intended to inform about security holes,
http://www.krusader.org/handbook/faq_general.html#faqg_mail_list
All package maintainers of krusader should be at least be subscribed to
the krusader-news list,
but it can't hurt to send bugreports to several disto's that offer 1.60.0
since not all packagers are subscribed to the krusader-news list.
Maybe some distro's have a secu...@distro.foo e-mail adress where we
can send this info?
We need think about this, so we have a *security hole warning plan*
for the future.
Any opinions ?
bye,
Frank