[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails
From:       Solar Designer <solar () openwall ! com>
Date:       2013-12-22 10:34:07
Message-ID: 20131222103407.GA11061 () openwall ! com
[Download RAW message or body]

Hi all,

On Sun, Dec 22, 2013 at 01:29:58AM -0800, nick@firedev.com wrote:
> I am trying to upgrade but the suggested error handler doesn't work.
...

Are these followup postings still on topic for oss-security, or should
this possibly be discussed elsewhere and, if necessary and when ready,
summarized for/on oss-security as well (e.g., in the form of a revised
security advisory)?  I am not sure, and as a co-moderator I am wondering
if/when we should start rejecting messages in this thread that are CC'ed
to oss-security by non-subscribers.  I'd appreciate advice.

This is actually part of a more generic issue: whenever an upstream
project posts a security advisory CC'ed to that project's list(s) and to
oss-security, we often end up getting followup postings by users of the
project's software who are not into security and thus comment on
non-security aspects.  This is sometimes fine and maybe even desirable,
but sometimes it gets too far off topic for oss-security, and it's often
difficult for moderators to decide when to start rejecting.  A better
approach may be for upstream projects to be sending such announcements
to their lists and to oss-security separately, not by CC'ing.
(I actually asked OpenStack to start doing that a while ago, and I guess
they're doing it that way now.)

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]