On 8/24/07, Jordan Wiens jwiens@psifertex.com wrote:
On Aug 23, 2007, at 7:14 PM, Jason Fesler wrote:
mind that we are 0.1-rc1 and be gentle! ;))
IMO: Be .. *polite*. But, real problems if identified need a fixin. The fact that RC is a 0.1 and not a 1.0 means this is a great time to have it come up, before there is too much of an install base for RC.
Being that there's always two sides to the argument on disclosure, I just want to say thank you Jordan, for giving a chance to do things politely. :-)
Glad to be of service! I'm a big believer and user of open-source, so this only makes sense to me. I figure everybody wins -- you guys get a fairly decent security audit (though certainly not comprehensive -- being that I'm really focusing on testing the products and not RC itself) and I've got a great test application to throw scanners against and watch how they handle (or don't as is mostly the case so far) AJAX apps.
I've got decent ideas on how to fix most of the vulns already, so hopefully I won't make much extra work for you guys, but we can still really tighten the security.
BTW -- I use RoundCube myself as a backup mail client, so I've got a vested interest as well. ;-)
Ok, we are all ears.
Thanks again, Till _______________________________________________ List info: http://lists.roundcube.net/dev/