[Rpm-maint] [rpm-software-management/rpm] Require creation time to be unique and hashed (PR #1912)

Panu Matilainen notifications at github.com
Tue Feb 22 07:24:31 UTC 2022


>> It is a security vulnerability, but upstream disagrees.
>
> Have you made a report to [secalert at redhat.com](mailto:secalert at redhat.com)?

@DemiMarie , that address is meant as a last gasp place if upstream cannot be reached and/or where the CVE disclosure protocol is required. Invoking that machinery involves a lot of overhead for everybody involved. This is already public, and you're talking *at upstream* about this, so please... 

As to whether a given unimplemented bit of the OpenPGP spec is a security vulnerability in rpm or not is always going to be case-by-case decision because only a limited subset of it is relevant for the rpm usecase. I have no offhand opinion about this one. 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1912#issuecomment-1047497134
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/1912/c1047497134 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220221/7610e60b/attachment.html>


More information about the Rpm-maint mailing list