Concerning the ntp-4.2.8p8 security fixes

Hal Murray hmurray at
Fri Jun 3 17:55:14 UTC 2016

dfoxfranke at said:
> I'm on the fence as to whether this bug is bad enough to merit tagging a
> release right away. Both and the Redhat folks who discovered the bug
> are downplaying it, but I'm leaning toward yes given that even *legitimate*
> leap seconds have a long history of creating ops havoc, so a bogus one could
> be especially insidious.

I think as a general policy we should push the release button whenever we fix 
a security bug.

That just pushes the problem to "what is a security bug?"  I'd say two 
reasons.  One is an obvious security bug.  The other is anything with a CVE 
number or equivalent listing on some respected bug tracking database.

These are my opinions.  I hate spam.

More information about the devel mailing list