Re: Anyone here read vuln-dev?

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 29 Oct 2000 22:51:36 +0100

Robert Collins wrote:

> it's #&NNN; for the format -

I know.. only tested if you were awake ;-) (heck, I have spent the last
monts writing a specialized web server, and have had to deal with these
issues and a horseload of related issues...)

> 0-1F done. 127 & above done in the attached update html. c (and yes rfc1738
> was a very handy inspiration :-]

Ok. Will look into all the details shortly.

> <WHINE MODE>Personally I think it would have been appropriate for the
> "ideas" person to have let squid-dev know before dropping it on the world
> via vuln-dev....
> </WHINE MODE>

Then wine on that person, not squid-dev ;-)

However, there is an apparent lack of official indication of where to
report security issues in Squid. IIRC then once in a while squid-bugs
was documented as the place to send security bugs, but I cannot find any
indication of where to send security bugs/issues today (if there ever
has been).

To cure this I propose that

a) security@squid-cache.org is created and documented under "contacting
us". For the time being should be a alias for the squid-bugs list to
keep it in private and out of public archives.

b) squid-dev is documented under "contacting us" as a way to reach the
developers.

c) The non-contact lists mentioned on "contacting us" is ripped out of
there. It is sufficient if the page says that there are also public
mailing lists and refer to the mailing list page.

/Henrik
Received on Sun Oct 29 2000 - 14:54:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:53 MST