[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

Guy Harris guy at alum.mit.edu
Mon Nov 24 16:52:17 EST 2014

On Nov 24, 2014, at 1:24 PM, Denis Ovsienko <denis at ovsienko.info> wrote:

> So the problem is to let GitHub do its good things to tcpdump yet to protect from the bad ones. To me it seems that for the next few years the best balance between survivability and convenience would be in continuing to use both GitHub and bpf.tcpdump.org, but with one important change. The changes should normally be committed to GitHub instance only, as that's currently the environment that is most convenient for contributors of varying levels of experience. Then bpf.tcpdump.org would not experience auto-merging difficulties any more and with the two repositories being 100% identical

What mechanism would be used to ensure that any change committed to GitHub will be pushed/pulled to bpf.tcpdump.org in a timely fashion when possible (with catchup pushes/pulls if it becomes impossible for a while due to some problem)?

> the read-only choice between the two will become again purely theoretical and a matter of taste.

But doesn't "The changes should normally be committed to GitHub instance only" mean that the bpf.tcpdump.org repository should be treated as read-only for contributors - presumably including core contributors?

More information about the tcpdump-workers mailing list