Lack of update information

Matthew Woehlke mw_triad at
Mon Jan 26 23:22:01 UTC 2009

Kevin Kofler wrote:
> diff -Nur foo-old foo-new
> and you'll see fairly quickly what they fixed. (And it's also trivial for a
> cracker to do that, so it's utterly pointless to try withholding
> information that way.)

I disagree.

I recently fixed something that could be considered "denial of service" 
in a program I maintain. The patch basically replaces some instances of 
"foo=object; object.incrementRefCount();' with 'foo=object.clone();'. 
I'd challenge you to figure out from just that how to exploit the 
problem, whereas the bug report might contain a detailed description of 
what you had to do, how the timing has to work out, and exactly what 
effect would be seen.

There's a difference between having to engineer an exploit from the 
patch (especially if even the commit is vaguely worded), and having full 
documentation on the problem and its cause.

Please do not quote my e-mail address unobfuscated in message bodies.
find / -user your -name base -print0 | xargs -0 chown us:cats -- Unknown

More information about the devel mailing list