You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.
Just read #4 and noticed that 8.2.2 apparently fixes a medium-rated security problem. So I went back to the changelog and the only indication of any security fix was Security improvements. To me this sounds more like general hardening than fixing a security-critical bug. The mail to announcements@owncloud.org did not mention security at all and only referenced the changelog.
We cannot expect our users to install any and all updates with the highest priority so I would think it is important to clearly state when a release is security-critical.
There also appears no way to easily keep up-to-date with security advisories. There seems to be no RSS feed and there is no mail to the announcements list when one is issued.
The text was updated successfully, but these errors were encountered:
The policy we agreed on some time before was the following:
If a release patches a security issue we indicate in the changelog and the announcements@owncloud.org mailing list that this is a release that contains low/medium/critical security patches and that details will be released 14 days after release.
After 14 days after release we release the advisories to the public.
Enterprise customers receive the advisory already at the point of release, the patches are however available at the same time.
So from my side we basically just need to have somebody asking me before the release whether this contains a security issue. This works quite well for the EE push notifications already :-)
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Just read #4 and noticed that 8.2.2 apparently fixes a medium-rated security problem. So I went back to the changelog and the only indication of any security fix was
Security improvements
. To me this sounds more like general hardening than fixing a security-critical bug. The mail toannouncements@owncloud.org
did not mention security at all and only referenced the changelog.We cannot expect our users to install any and all updates with the highest priority so I would think it is important to clearly state when a release is security-critical.
There also appears no way to easily keep up-to-date with security advisories. There seems to be no RSS feed and there is no mail to the announcements list when one is issued.
The text was updated successfully, but these errors were encountered: