Adam Bannister <adam.bannister@xxxxxxxxxxxxxxx> writes: > How did the disclosure and patching process go? I guess "Just like any other project" would be enough for you to understand, given what you write and where ;-) A security researcher discloses a possible vulnerability to the git-security mailing list, which is a closed list. On the list, there are developers with relatively high familiarity with the entire codebase, and there are those who are responsible for managing binary packaging of the software to various distributions. We prepare the fix. We review the fix. We repeat until we agree that the proposed fix is what we want to deliver. We arrange the coordinated disclosure and release among distro people and other stakeholders. All of the above have to be done behind public. Then we go public at the same time. It happened at 1100 US/Pacific on Apr 14th, 2020. For this one, as the fix itself was relatively straight-forward, the time it took between the initial contact and the release was spent mostly to wait for the slowest partcipant in the coordinated disclosure process (obviously I won't name names). > What is your advice to Git users? Release is announced and users are urged to upgrade, like you wrote on your article at The Daily Swig.
