On Friday 19 October 2007, Karel Zak wrote: > This is upstream, we are not doing support for end-users. i dont think that statement makes sense ... we support the util-linux package regardless of who is using it > I don't see __real__ demand for release immediately after every > important bug. I prefer stable and well tested maintenance release > every 2-3 months (e.g. 2.13.1) and major release every 4-6 months > (e.g. 2.14). i think this makes sense except for serious security issues. if the issue is a real problem that is putting people's systems at risk, then a new point release should be put out asap ... whether that means making a new release from the current branch (2.13.1 -> 2.13.2) or simply taking the last release and adding the security fix (2.13.1 -> 2.13.1.1), either is ok by me. > CVE-2007-5191 is not critical according to discussion in vendor-sec > mailing list. unless someone can present a realistic case where the set*id functions fail and thus expose the system to attack, then i'd agree this falls into the non-serious category. -mike
Attachment:
signature.asc
Description: This is a digitally signed message part.
