mailing list archives
Re: Ruby CVEs
From: Solar Designer <solar () openwall com>
Date: Thu, 21 Mar 2013 06:57:54 +0400
On Wed, Mar 20, 2013 at 09:57:20PM -0400, larry Cashdollar wrote:
This was my fault, I should have sent the CVE numbers off list. Sorry all.
Why keep information off-list, when it is of interest to some on the
list? That would be worse. Reviewing the list archives, I see that the
"Ruby CVEs" thread was started in here by Kurt:
Then you posted three additional messages on the same day:
with each of them in its own thread. Thus, maybe the only thing you
could have done better on that day (given that you had already requested
CVEs privately 3 days before) was to reply to the thread started by Kurt,
thereby making it more likely that he'd see the messages as being
relevant to his "Ruby CVEs". I understand that replying to an existing
thread with a forwarded message may be cumbersome; if so, you could have
posted the forwarded messages separately (like you did) and then replied
to the original thread saying that you had just posted a relevant
message (and preferably including a list archive URL for that message).
On March 16, you could have done better by requesting the CVEs via
oss-security rather than in private. This would also serve to inform
the list subscribers of the security issues earlier.
Kurt could have done better by paying attention to other messages on
this list before assigning CVE IDs. The traffic in here is not high.
Overall, I think all of you have tried to do the right thing, and I
would not want to have information withheld from this list merely to
avoid duplicate CVE IDs in the future. CVEs are handy, but the CVE
assignment process should not affect what is posted publicly and when.