Concerning the ntp-4.2.8p8 security fixes
hmurray at megapathdsl.net
Fri Jun 3 17:55:14 UTC 2016
dfoxfranke at gmail.com said:
> I'm on the fence as to whether this bug is bad enough to merit tagging a
> release right away. Both NTP.org and the Redhat folks who discovered the bug
> are downplaying it, but I'm leaning toward yes given that even *legitimate*
> leap seconds have a long history of creating ops havoc, so a bogus one could
> be especially insidious.
I think as a general policy we should push the release button whenever we fix
a security bug.
That just pushes the problem to "what is a security bug?" I'd say two
reasons. One is an obvious security bug. The other is anything with a CVE
number or equivalent listing on some respected bug tracking database.
These are my opinions. I hate spam.
More information about the devel