Comment 11 for bug 1647467
Revision history for this message
| Julian Andres Klode (juliank) wrote | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Sorry about that Marc. There is no real coordination yet, apparently I'm moving a bit too fast for security teams to keep up :)
We received the bug report yesterday from Google with their usual 90 day disclosure deadline:
"This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public."
The fix was simpler than I thought as I misunderstood the initial suggestions (it was a list, I thought we needed to do all in it, but just one thing is enough...). My intention is to provide the fixes today for all affected Debian and Ubuntu releases, in the form of debdiffs in this bug for the Ubuntu ones, to enable some work.
That said, I have no idea how much coordination is needed from security folks, so I'm not sure when we will be able to publicly release it - You guys need to figure that out. I sort of feel offended by security bugs, so I'd really love to move fast on these :)
I'm not a fan of responsible disclosure. I consider it an irresponsible practice, but that's my personal opinion, and if people want to play the game of withholding fixes until everyone catches up, I'm willing to play along for a few days, but not very long.