Yeah exactly, although its being met with slightly noisy press coverage which is counterproductive past a certain point. Ideally the time spent on this blog post shouldnt have been needed.
I guess there's still a positive to the weirdly over the top press coverage - and that is that more people are in a position to adopt these patches as they're released.
While it is certainly logical to withhold access to this information, it stands to reason that in case this information is released to the public through other means then it would be very troublesome for them.
This blog post implies that the vulnerability can be affected by your environment. Hopefully that means it's related to authentication somehow, and not some encoding or escaping flaw in queries themselves.
> We are not going to permanently hide any information, or try to obfuscate the contents of security patches (coughunlike some other players in the field)
Yeah, let's announce to the world REALLY LOUD that now is the time for blackhats to either hack into our servers or bribe some our developers to give them source code.
Genius!
In other words, the issue is that these guys are too stupid to make the git repository used in the build infrastructure be configurable (so they could build packages from a separate private one...), and also too stupid to at least lie claiming the servers went down instead of announcing their stupidity.
Hopefully the database is written by a different set of people than the ones doing system administration.
