[CentOS-devel] announcing stuff that is in CR/

Thu Jul 21 16:15:21 UTC 2011
Les Mikesell <lesmikesell at gmail.com>

On 7/21/2011 10:57 AM, Alan Bartlett wrote:
> On 21 July 2011 16:41, Les Mikesell<lesmikesell at gmail.com>  wrote:
>> On 7/21/2011 10:19 AM, Alan Bartlett wrote:
>>> On 21 July 2011 16:05, Les Mikesell<lesmikesell at gmail.com>    wrote:
>>>> The important thing to know is when published CVE's are fixed upstream
>>> Sorry Les but you are going OT. With regard to what you have just
>>> said, we all have the ability to monitor what the "Upstream Vendor"
>>> does.
>> And I'm sorry that you think that well-known but unpatched
>> vulnerabilities in the software published as CentOS is OT.  What the
>> upstream vendor has said about it isn't the relevant point.  What is
>> relevant is that CentOS has shipped the vulnerabilities; a lot of other
>> people know about them, and the CentOS users deserve to know as well,
>> especially when the fix is hidden in the CR repo.
> Riding on your hobby-horse, once again.
> See KB's opening post to this thread. That sets the topic.

And I'm trying to correct it from a user's perspective.  If I have a 
specific bug in an application or driver that affects my system, I'll 
know about it and seek out the fix.  The ones I need to be informed 
about are the security vulnerabilities included but hidden in the 
distribution, and I especially need to know that when they are published 
in a way that makes a large number of other people aware that my system 
still has them.

   Les Mikesell
    lesmikesell at gmail.com