



























As the article notes, the bug tracker is still open, so if you find a security bug you can still report it. The difference is the project will not formally "accept" it with the whole brouhaha of embargoes, CVE numbers, drop-everything-and-fix-it-now. I think that might be the way forward in general, not just for one summer. A Linux kernel vulnerability that can be exploited remotely may still deserve its own web page, catchy name, and mysterious "you are strongly recommended to upgrade" fixes. But a bug in libcurl can just be reported and fixed in the normal way. If you found it with an LLM, anyone else could have found it, and probably already have.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。