On Wed, Feb 01, 2012 at 07:29:05PM -0500, Marc Deslauriers wrote:
This means vendors will be keeping information about the vulnerability
private until they are confident they are able to release within a week,
at which point they will then share the information with other vendors
who will scramble to get their updates ready.
Yes, this is one of the things I expect to be happening, too.
You asked me "why", but not "why not" - and this matches our roles for
this discussion well. ;-)
As a distro, I now have two choices: I sit on vulnerabilities until our
own QA and testing is done, at which point I send them to the list and
Why can't you send to the list when you are half-way done, if 2 weeks
would have been enough for you normally?
hope that 7 days is enough for everyone else, or I simply stop using the
list for anything that's more than trivial and contact other vendors
Another option: contact large vendors who need more time for QA first
(2 weeks before CRD), post to the list later (1 week before CRD). There
are possibly just a few large vendors/distros who need this (I am
thinking Ubuntu, Red Hat, SUSE - and that might be all).
Also, when you post to the list, you're able to share more info with
other vendors (those on the list): not only info on the bug, but also
your patches (perhaps already partially tested), advisory draft, etc.
That way, it is easier for other vendors to be done in 1 more week.
- Large vendors gain an advantage.
- Fixes may be worse since no input is provided by other/smaller vendors
early on (e.g., I would not have a chance to identify a shortcoming in a
patch being tested by Ubuntu until the patch is already sent to QA, so
is too late to revise unless it fails QA).