> On Thu, Nov 08, 2007 at 07:36:24PM +0100, Simon Matter wrote: > >> It may not be worth for you to worry about it but it is worth for me and >> maybe also for Ken. People using my RPMs expect things to work. And >> people >> do use it on affected systems and they fill my mailbox or the list with >> complaints if Cyrus segfaults for them. > > People using RPMs can just install the security updates just as easily > as a new Cyrus RPM. The Red Hat advisory said a patch is available even > for Red Hat 7.1; are you still actively maintaining packages for Red Hat > 6.x? RedHat 7.x is the lowest version where the package builds (which is also RHEL 2.1 level). But I don't know why this bug should have been fixed in RedHat 7.1, it has never existed there! What I know is that it has never been fixed in Fedora Core 1 and never been fixed in RedHat 9 (it has only been fixed in RedHat EL3). Both platforms are still widely used, believe it or not. Need examples, check out on which platforms the Slashdot webservers run! > > And what is better? Hiding the problem under the carpet, or saying "See, > you have a security bug that is known for 4 years. If you have a bug > that old you probably have lots of other unfixed security bugs as well. > Go fix your system!". If you do care about the users, you should educate > them to always install security updates. That kind of thinking is part of the problem. I can't teach other people to take security serious but at the same time release an RPM package which segfaults on their systems. That way I make myself part of their problem. Simon ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
