Just FYI, 1.8.7 mentor is now shifting from knu to me.  After that I'm
going to manage 1.8.6 and 1.8.7, while knu will maintain 1.8 branch
(which should be 1.8.8 someday).

Yukihiro Matsumoto wrote:
> Hi,
>
> First of all, sorry for segfaults/troubles you've got.  Let me clear
> thing little bit further.
>
> = vulnerability
>
> The vulnerability is reported from Apple development team.  The bugs
> are all due to integer overflow.  From our analysis, we believe all of
> them just cause segmentation faults at most.  They do not seem to allow
> arbitrary code execution, unlike their report.
>
> = release management
>
> From 1.8.6, we have reformed our release management.  Ruby 1.8 release
> manager is Akinori MUSHA <knu at iDaemons.org>.  He is responsible for
> the 1.8 head release (i.e. 1.8.7 right now).  Besides that, we
> maintain two prior versions for production maintenance (1.8.5 and
> 1.8.6 now).  Shouhei URABE <shyouhei at ruby-lang.org> is responsible
> for those versions.  We don't think we need to fix this process.
>
> = apology
>
> Apple asked us not to disclose about the vulnerability until specific
> date, and to release the fixed version on the same date.  Considering
> the possible exploit (it seemed much more serious at the time of the
> report), Apple's request is fair enough.
>
> But since we have already made some bug fixes on 1.8, we should have
> publicly asked the community to test the release candidate (except the
> vulnerability fixes) first.  Without that kind of community test, we
> released it with some incomplete (and broken) bug fixes, and caused
> you troubles.  That's our fault.  Sorry.
>
> I understand you want to fix the release management process not to see
> this kind of trouble again.  But I believe the process isn't broken,
> so we don't need to fix there.  What we need to fix is the process to
> handle security issues.  Since we meet security issues less often than
> usual releases, we sometimes make mistakes to handle them.  We will
> try to find balance between disclosure (to ensure reliability) and
> keeping secret (to ensure security).
>
> It might be a good idea to form a larger team for quality assurance.
>
> 							matz.
>
>
>
>