mailing list archives
Re: libxml security fix from apple ... any information?
From: Solar Designer <solar () openwall com>
Date: Sun, 31 Jul 2011 01:27:21 +0400
On Sat, Jul 30, 2011 at 01:50:40PM -0700, Jeffrey Czerniak wrote:
We would like to cooperate with other downstream distributors of free and open source software on security issues, as
Apple is a major distributor of such software. However, our previous attempts to engage the community have not been
successful. One-way disclosure of information related to security issues subjects our customers to non-trivial risk
without providing any added security benefit. This is particularly pertinent if the disclosure were to occur in
advance of the release of fixed software.
Is this a reference to the "closed list", which is currently Linux-only?
If so, are you saying that you would not share vulnerability information
with such a list ("one-way"), even for issues that you think are
relevant to Linux distro vendors, when Apple is not a member of the list?
I am merely asking for clarification because this is important info on
what communication channels should or should not exist and be in use.
I do not express any opinion.
FYI, my intent as linux-distros list admin has always been to have
specific non-Linux vendors informed if an issue is brought up that is
relevant to those vendors. That's regardless of whether those vendors
similarly inform the Linux vendors or not.
I do recall and partially agree with Apple's argument that we would not
know which of the issues affect your products, though.
For example, when the libsoup issue was brought up recently, I insisted
that the reporter would also inform *BSD's. I think that issue did not
affect Apple, did it? No GNOME in your products, right? (Not counting