Both are relatively minor on a scale from "meh" to "OMG shut everything down!". Every major project has security bugs now and then.
There are many mail clients that will send passwords over non-TLS links (that was standard practice for decades...and you can still convince many mail clients to do it without much fanfare). This change prevents foot-shooting and that's good, but, the fact that they didn't prevent foot-shooting for a little while due to an oversight isn't some massive security failure.
The git-in-git issue is pretty subtle. I'm not surprised it slipped by unnoticed for a while.
I was referring to the SMTP issue. I should have made that more clear.
> Both are relatively minor on a scale from "meh" to "OMG shut everything down!". Every major project has security bugs now and then.
Definitely. I don't think the problem itself is that bad. My main issue is that it was introduced with the ramifications in mind (see the original issue) and an RFC specifically stating it should only be used with TLS connections. The only reasonable use case is for connections to localhost; so the fix should have been implemented when the feature was added.
So my main issue is with the culture around the SMTP issue; if the Go contributing community lets an easy to recognize (and was recognized) issue through, I don't have much faith more subtle and important bugs will be properly handled. It may be that more security critical pieces of GO have a more rigorous culture.
> The git-in-git issue is pretty subtle. I'm not surprised it slipped by unnoticed for a while.
Could you name any projects of a similar age, exposure, and utility, that don't have similar bugs? Furthermore a comparison between the vulnerability and discoverability dates - I think Go would prove well above average here...
Both are relatively minor on a scale from "meh" to "OMG shut everything down!". Every major project has security bugs now and then.
There are many mail clients that will send passwords over non-TLS links (that was standard practice for decades...and you can still convince many mail clients to do it without much fanfare). This change prevents foot-shooting and that's good, but, the fact that they didn't prevent foot-shooting for a little while due to an oversight isn't some massive security failure.
The git-in-git issue is pretty subtle. I'm not surprised it slipped by unnoticed for a while.