Hi,
it's getting that obvious nobody has time to manage an interim
release, so we should put out a security advisory. The least we can do
is to tell users what the risks are.
Needless to say, it's a tricky job on the one hand not to let users
under-estimate the risks, and on the other hand, not to scare them in
a way that they would use tools that may be even more dangerous for
their specific usecase.
I'm unsure what kind of action-oriented advice we should give in this
document. For people who only want anonymous web browsing, and don't
care about local traces, pointing them to the TBB probably is the
best. For users who don't care about the web, well, nothing to do.
For users who need anonymous web + no local traces, possibly this
advisory might quickly mention where our ESR11 packages can be found
(making it clear they're untested, unsupported, and for advanced users
only).
Any taker?
(Oh, and let's not spend more time discussing what to put in this
advisory than we would have spent preparing a real release.
Anything will be better than nothing.)
Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
