Hi,

First of all, sorry for segfaults/troubles you've got.  Let me clear
thing little bit further.

= vulnerability

The vulnerability is reported from Apple development team.  The bugs
are all due to integer overflow.  From our analysis, we believe all of
them just cause segmentation faults at most.  They do not seem to allow
arbitrary code execution, unlike their report.

= release management

From 1.8.6, we have reformed our release management.  Ruby 1.8 release
manager is Akinori MUSHA <knu at iDaemons.org>.  He is responsible for
the 1.8 head release (i.e. 1.8.7 right now).  Besides that, we
maintain two prior versions for production maintenance (1.8.5 and
1.8.6 now).  Shouhei URABE <shyouhei at ruby-lang.org> is responsible
for those versions.  We don't think we need to fix this process.

= apology

Apple asked us not to disclose about the vulnerability until specific
date, and to release the fixed version on the same date.  Considering
the possible exploit (it seemed much more serious at the time of the
report), Apple's request is fair enough.

But since we have already made some bug fixes on 1.8, we should have
publicly asked the community to test the release candidate (except the
vulnerability fixes) first.  Without that kind of community test, we
released it with some incomplete (and broken) bug fixes, and caused
you troubles.  That's our fault.  Sorry.

I understand you want to fix the release management process not to see
this kind of trouble again.  But I believe the process isn't broken,
so we don't need to fix there.  What we need to fix is the process to
handle security issues.  Since we meet security issues less often than
usual releases, we sometimes make mistakes to handle them.  We will
try to find balance between disclosure (to ensure reliability) and
keeping secret (to ensure security).

It might be a good idea to form a larger team for quality assurance.

							matz.