On 7/21/2011 10:57 AM, Alan Bartlett wrote: > On 21 July 2011 16:41, Les Mikesell<lesmikesell at gmail.com> wrote: >> On 7/21/2011 10:19 AM, Alan Bartlett wrote: >>> On 21 July 2011 16:05, Les Mikesell<lesmikesell at gmail.com> wrote: >>> >>>> The important thing to know is when published CVE's are fixed upstream >>> >>> Sorry Les but you are going OT. With regard to what you have just >>> said, we all have the ability to monitor what the "Upstream Vendor" >>> does. >> >> And I'm sorry that you think that well-known but unpatched >> vulnerabilities in the software published as CentOS is OT. What the >> upstream vendor has said about it isn't the relevant point. What is >> relevant is that CentOS has shipped the vulnerabilities; a lot of other >> people know about them, and the CentOS users deserve to know as well, >> especially when the fix is hidden in the CR repo. > > Riding on your hobby-horse, once again. > > See KB's opening post to this thread. That sets the topic. And I'm trying to correct it from a user's perspective. If I have a specific bug in an application or driver that affects my system, I'll know about it and seek out the fix. The ones I need to be informed about are the security vulnerabilities included but hidden in the distribution, and I especially need to know that when they are published in a way that makes a large number of other people aware that my system still has them. -- Les Mikesell lesmikesell at gmail.com