On Mon, 7 Mar 2005 08:52:17 -0500, Jean-Philippe Barrette-LaPierre
<jpbarrette_at_savoirfairelinux.net> wrote:
> On March 7, 2005 08:39 am, Jean-Philippe Barrette-LaPierre wrote:
> > On March 7, 2005 08:10 am, Ralph Mitchell wrote:
> > > Do they have any kind of ,mailing list we could join and let their
> > > users know the truth?? I'll have a look later when I'm more awake.
> >
> > They submitted a bug report:
> > http://www.securityfocus.com/archive/1/391042
> >
> > discusted in this thread:
> > http://curl.haxx.se/mail/lib-2005-02/0172.html
>
> But I searched in the curl-user, curl-library mailling-lists and I couldn't
> find anything that they could have sent.

I believe that is the point. The curl mailing list thread is a
discussion of the patch, once the "advisory" (not sure why I use a
polite term) was already made public and information did trickle down
to Daniel and others. Posting something to a securityfocus mailing
list does not constitute advance notice or vendor notification either,
of course.

My personal belief (incorrect perhaps, but I'm holding on to it until
presented with evidence to the contrary) is that some people hunting
for bugs does not particularly care to have the vendor fix the problem
before letting the rest of the world know to boost their own ego.

Lars Nilsson
Received on 2005-03-07