Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: distros & linux-distros embargo period and message format
From: Solar Designer <solar () openwall com>
Date: Thu, 2 Feb 2012 08:54:50 +0400

On Wed, Feb 01, 2012 at 09:17:39PM -0700, Kurt Seifried wrote:
Is something changing to significantly increase this risk that
we (the community) are unaware of?

As far as I'm aware, no - it's all the same concerns and reasoning that
we had e.g. 10 years ago.

You allude to:

"Why I am making this proposal now: this is triggered by a certain
off-list discussion I just had; unfortunately, the other party does not
permit me to post more about it."

Which is awfully vague.

Unfortunately, yes.  Well, I can add that it's just a person's negative
opinion on what we're doing with these closed lists, with reasoning -
and nothing more.

I think it's important for there to be openness,
transparency and honesty in this process or else it won't work.

I fully agree.  However, when someone e-mails potentially helpful
comments to me yet does not permit me to post them to the list, what
options do I have?  Stop the discussion right there - either we discuss
this in public or not at all?  I guess for some topics I would do just
that, but I felt that this one did not cross that line.

Like you
pointed out earlier vendors may choose to stop playing together, which
would REALLY not be good for the vendors or the Open Source community
long term.

That's my opinion too.

Yet I needed to bring the topic up.  I was not 100% sure that some
vendors currently on the list would find 7-11 days unacceptable.  Being
90% sure was not enough.

I've noticed a decrease in embargo periods over time - I think for
vendor-sec the average might have been 14 days if not more, whereas now
it might be down to 10-12 days or so (excluding the hash DoS thing).
So we turned the old average into the new maximum.  I thought that maybe
we were ready for the "next level" - but it seems not.  Maybe later?

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]