Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: distros & linux-distros embargo period and message format
From: Solar Designer <solar () openwall com>
Date: Thu, 2 Feb 2012 06:01:45 +0400

On Wed, Feb 01, 2012 at 07:29:05PM -0500, Marc Deslauriers wrote:
This means vendors will be keeping information about the vulnerability
private until they are confident they are able to release within a week,
at which point they will then share the information with other vendors
who will scramble to get their updates ready.

Yes, this is one of the things I expect to be happening, too.

You asked me "why", but not "why not" - and this matches our roles for
this discussion well. ;-)

As a distro, I now have two choices: I sit on vulnerabilities until our
own QA and testing is done, at which point I send them to the list and

Why can't you send to the list when you are half-way done, if 2 weeks
would have been enough for you normally?

hope that 7 days is enough for everyone else, or I simply stop using the
list for anything that's more than trivial and contact other vendors
directly.

Another option: contact large vendors who need more time for QA first
(2 weeks before CRD), post to the list later (1 week before CRD).  There
are possibly just a few large vendors/distros who need this (I am
thinking Ubuntu, Red Hat, SUSE - and that might be all).

Also, when you post to the list, you're able to share more info with
other vendors (those on the list): not only info on the bug, but also
your patches (perhaps already partially tested), advisory draft, etc.
That way, it is easier for other vendors to be done in 1 more week.

Drawbacks:
- Large vendors gain an advantage.
- Fixes may be worse since no input is provided by other/smaller vendors
early on (e.g., I would not have a chance to identify a shortcoming in a
patch being tested by Ubuntu until the patch is already sent to QA, so
is too late to revise unless it fails QA).

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]