[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] MaraDNS 1.4.06 and 1.3.07.11 released
From:       Tomas Hoger <thoger () redhat ! com>
Date:       2011-01-31 11:00:54
Message-ID: 20110131120054.53312d3d () orphan
[Download RAW message or body]

Hi Sam!

On Sat, 29 Jan 2011 22:21:08 -0700 Sam Trenholme wrote:

> I would like to thank Mr. Witold Baryluk for pointing out this issue,
> taking the time to backtrace the bug, and for bringing it to my
> attention by posting to the MaraDNS mailing list.  However, I need to
> let him know that making this public by filing a public Debian bug
> without first trying to contact me is not the appropriate way to
> handle a security problem with MaraDNS.  The appropriate way to do so
> is via private email.  My email address is here:
> 
> http://samiam.org/mailme.php

I think it may be a good idea to have this preferred way of receiving
security reports for MaraDNS documented on the project web site in a
way that does not make it hard to find.

I took a quick look at the maradns.org web to see what contact info I
can find as someone who may want to report a security flaw, but does
not have any closer relationship with project's upstream or community.

The main page suggests using mailing list for bug reports.  There is
the contact.html page that does document what to do when reporting
security issue, but the page does not seem to be linked from other pages
(I noticed it thanks to the web site copy bundled in the maradns source
tarball).  There's a link from sponsors.html, but that page is no longer
linked from the site menu.

So while the info is there, I don't see an easy way to find it by
following links from the main page.  Maybe that's something you may
want to change.

Just my 2c, HTH.

-- 
Tomas Hoger / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]