Kevin Kofler wrote:
diff -Nur foo-old foo-new and you'll see fairly quickly what they fixed. (And it's also trivial for a cracker to do that, so it's utterly pointless to try withholding information that way.)
I disagree.I recently fixed something that could be considered "denial of service" in a program I maintain. The patch basically replaces some instances of "foo=object; object.incrementRefCount();' with 'foo=object.clone();'. I'd challenge you to figure out from just that how to exploit the problem, whereas the bug report might contain a detailed description of what you had to do, how the timing has to work out, and exactly what effect would be seen.
There's a difference between having to engineer an exploit from the patch (especially if even the commit is vaguely worded), and having full documentation on the problem and its cause.
-- Matthew Please do not quote my e-mail address unobfuscated in message bodies. -- find / -user your -name base -print0 | xargs -0 chown us:cats -- Unknown