I guess I am less than a halfwit even though I have a good amount of PHP knowledge. If I commit code, lets say I commit 10 files in my commit and one of those files fixed a security flaw, whether the flaw was known to me or not, I say upgrades to and fixes to v5 as usual. I don't see how I am going to put a red sign on distinguishing it from any other of the thousands of commits made. In addition, if anyone wanted to do harm they would actively seek out security flaws. You would find them much faster than waiting and hoping that someone slips up in a commit message. And lastly, it doesn't change the situation when you wait and commit it later. That commit is made and no site is upgraded still. So I believe I am still missing the point. I think it would be very helpful if someone could give me a concrete realistic example of the problem not committing will fix. Thank you, Alan On 1/16/08, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
DragonWize schrieb:
1. non-upgraded sites are at risk otherwise there would be need to change.
2. making commit doesn't advertise anything unless you put a description saying what the security flaw is and how to exploit it. hopefully it is obvious to not ever do that, no matter when you commit it.
Every halfwit with a bit of php knowledge can see why a particular commit with a strange commit message would be a security fix.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHjkzIfg6TFvELooQRAq6GAJ9lweU+hyy5PbAOuEVRWSiySuFvogCbBjjf Qk6mnYthpxCg9SykEg3xVNM= =a596 -----END PGP SIGNATURE-----
-- Alan Doucette Koi Technology, LLC www.KoiTech.net