Author: Phil Pennock Date: To: Simon Arlott CC: exim-dev Subject: Re: [exim-dev] Test release of exim 4.72 uploaded
On 2010-05-29 at 17:33 +0100, Simon Arlott wrote: > This release appears to be getting rushed through just
> because it fixes an issue that has a CVE number.
It is getting rushed because it fixes issues which are a security
problem for some users. There is some degree of duty of care, where
we're aware of security issues, to deal with them in a timely manner.
When the software causes security problems, that's more critical than
when the software doesn't perform as it should in other ways. The
presence or absence of a CVE number is irrelevant.
To a limited extent, when there is a security problem, as few other
changes as possible should go in because administrators should not be
left facing a choice of "live with security problem" vs "break the
setup". Small obviously-correct bugfixes are probably okay.
Yes, other fixes are getting pulled in. I saw the DKIM ones go in. I
thought about doing them last night but decided I would leave it for
when I was more rested, so I've been beaten to it.
By way of example of things that might be skipped in a security release:
If it had been my choice, the dnsdb/TXT lookup changes would *not* have
gone in, because they change existing behaviour in ways which we hope
are correct, because it's adding syntax which wasn't there before, but
it's into the grey area. This, despite the fact that I did want those
fixes to go in anyway -- just perhaps not in this release.
