On 2018-02-09 at 15:32 +0000, Vsevolod Stakhov via Exim-dev wrote:
> It seems that FreeBSD is no longer considered in CVE early disclosure,
> isn't it?
There has been no change from Exim's side in how this was communicated.
We have an exim-maintainers mailing-list which has vetted people from
any interested OS project as members and that list received early
notification. I strongly suspect that the OpenWall distros mailing-list
received early notification (but am not on that list and haven't asked
Heiko; I only saw the public notifications on oss-security later).
Our process is documented at:
https://github.com/Exim/exim/wiki/SecurityReleaseProcess
So: we have a documented process, we have resources for OS folks to use,
nothing has changed here. If FreeBSD had missed the notification, then
that's unfortunate. I don't think I've done anything special in the
past to notify you beyond our documented process. If I did, then that's
on me for not documenting it for Heiko (or having any recollection of it
now).
What would you like us to have done differently?
-Phil
