From: Martin H. <mar...@si...> - 2016-03-14 10:15:17
|
Dear Rene, > So why was this not posted to this list when I initially asked for information > about the issues? Because the CVEs weren't raised until after 1.3.6 was released. The same will happen for 1.3.7. My understanding is that Mozilla will wait for me to get the release out before they request the CVE allocations. So I can't tell you about something that hasn't happened yet. I would be happy for Mozilla to raise the CVEs earlier. But it is also nice to be able to say that the bug is fixed in a release, when the CVE is raised. There is clearly a chicken and an egg involved in this. In this case I will do the release, and as soon as the CVE allocations are made and I become aware of them (which isn't necessarily immediate) I will produce a mapping from CVEs to commits for those who want it. But since there are no CVEs out (that we are aware of) for what will be in 1.3.7 I cannot give them to you at the point when I release 1.3.7. Yours, Martin |