On Wed, 2002-08-21 at 13:13, Bruce Momjian wrote:
> Justin Clift wrote:
> > Bruce Momjian wrote:
> > >
> > > Justin Clift wrote:
> > > > Only two things which have the potential to be worth waiting for, from
> > > > what I'm aware of. There may be others:
> > > >
> > > > - Find out from Sir Mordred if he wants to take a look at the CVS
> > > > version of code and audit in that for a bit, Just In Case he turns
> > > > up something that's serious and requires substantial re-work.
> > > > Although it means he wouldn't have a bunch of "I found this existing
> > > > exploit" type releases, we could instead offer him credit on the
> > > > press release along the lines of "This released has been audited for
> > > > security flaws in its code by Sir Mordred". Am pretty sure he'd
> > > > do a very thorough job for that, as it means he'd have an official
> > > > "product reputation" he'd need to stand by for it.
> > >
> > > This is interesting. He would have a month to do it.
> >
> > Reckon it's worth asking him, to find out if he'd be interested in this?
>
>
> I wouldn't do it yet until we know if we are going to delay.
I'd ask anyway. 99% of the issues he finds will be fairly localized.
Anything truly new (not on TODO already) will probably require a fair
bit of time to track down, then fix time on top (2 months delay?).
Anyway, these types of discoveries are better in beta than after the
release and would still warrent a mention if there is a fair amount of
ground covered.
Personally, I'd be more interested in whats safe (covered) than whats
broken. Posting the successful test cases as some proof rowards
stability / security of the new release would realize immediate gains in
settling nervous VPs about the new installation.