>* Theo de Raadt: > >> What if we ignore your procedures? What if we say no? > >You won't be told about bugs in the code you write. It's as simple as >that. > >But I don't quite understand why Gadi is so thoroughly offended by the >way how this vulnerability has been handled so far. The patches might >be obscure, but at least there are official patches for older >versions, too. And there is an official advisory. It could be far >worse. The programmers of a rather popular kernel do not publish >advisories at all, for instance. I don't quite understand the complaints about "obscure" patches; intricate bugs require elaborate patches; it's not a one line sprintf->snprintf change that is easy to understand. Because of the way the bug was addressed, ripping out setjmp/longjmp, a lot of change is needed which is not immediately obvious. But such is the nature of complicated bug fixes; sometimes one also needs to rewrite parts in a more natural way or code will become increasingly "patchy" and less maintainable. Casper
