[insanitybit]

Attackers can just go look at the repo's commits. Holding back the information only hurts defenders.

[macintux]

It seems unlikely to me that the maintainers are that careless.

[insanitybit]

It is the norm for the patch to be committed and the CVE to be acquired as part of that process.

[macintux]

Yep, per this comment my optimism was misplaced.

https://news.ycombinator.com/item?id=33384596

[macintux]

Or, it appears I may have been correct the first time.

https://news.ycombinator.com/item?id=33382684

[insanitybit]

That's cool. Some projects do that, some do not.