|
|
|
|
|
|
by greysteil
446 days ago
|
|
|
Can we take a moment to appreciate how good the disclosure and coordination process on this were? * Reported to the maintainers privately * Patch published and CVE issued before wider disclosure * Automated fix PRs created within minutes of public disclosure (and for folks doing proactive updates, before) The above is _really_ excellent. Compare that to Log4j, which no CVE and no patch at the time it became public knowledge, and it's clear we've come a long way. Supply chain security isn't a solved problem - there's lots we can still improve, and not everything here was perfect. But hats off to @leerob and everyone else involved in handling a tough situation really well. |
|
|