Hello, The other week, I sent a notice to fedora-legacy-list and fedora- security-list regarding the Macromedia Flash critical vulnerability (CVE-2006-0024, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024) thinking that, even though it is proprietary and therefore Fedora Core, Legacy, & Extras do not distribute it nor provide any support for it, that I could tell my friends on both lists about it, since this bug has the alleged possibility to run abitrary code remotely and so is critical. Here's the post: <http://www.redhat.com/archives/fedora-legacy-list/2006-March/msg00107.html> Some reservations were expressed to me privately about using our mailing list(s) to broadcast such information, after I already sent the thing out. Yet I sent it out, because I felt it would be important for folks who don't get Red Hat Enterprise Linux's security errata to be aware of the issue so they can protect their computers. Perhaps this needs more discussion, however. As participating members of the Fedora Project team, are there things we should not say on the mailing list(s)? I keep reading things about the wiki, for example, that say we mustn't talk (at least on Fedora's official web-pages) about things that aren't "pure" open-source or that violate some standard of open- sourciness; nor should we use the wiki resource to point to outside resources that may have (Linux) software that is proprietary or use features that in some of many jurisdictions might violate patents or other intellectual property laws. If that is so (and it's unclear to me exactly what those boundaries should be), it is unclear to me whether the instance of the buggy Flash player is one of those "no-nos" to talk about on Fedora mailing lists or wiki pages. I would have liked to suggest that someone who is a member of <fedora-list@ redhat.com> make a post there about this issue like that which I posted to fedora-legacy-list and fedora-security-list, to help inform more of the Fedora community about this critical bug. But I am not sure now that sug- gesting or doing that is appropriate? Can any of you offer any insight into this? Thank you. Thanks and Regards, David Eisenstein
