Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jan 2012 20:30:20 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: distros & linux-distros embargo period and message format

On Fri, Jan 20, 2012 at 08:50:40AM -0700, Kurt Seifried wrote:
> On 01/20/2012 02:44 AM, Solar Designer wrote:
> > "Please note that the maximum acceptable embargo period for issues
> > disclosed to these lists is 14 to 19 days, with embargoes longer than 14
> > days (up to 19) allowed in case the issue is reported on a Thursday or a
> > Friday and the proposed coordinated disclosure date is thus adjusted to
> > fall on a Monday or (preferably) a Tuesday.  Please do not ask for a
> > longer embargo.  In fact, embargoes shorter than 14 days are preferable."

> Why not just make it 10 business days

It wouldn't do the trick.  10 business days from a Wednesday gives us
another Wednesday, which is good, but 10 business days from a Friday
gives us another Friday (unless there are holidays).

> with a note to be kind with
> respect to holidays (i.e. over the Xmas break for us North/South
> Americans and Europeans).

That's tricky.  For example, in Russia the New Year holidays may last
for 11 or 12 days (such as Dec 30 to Jan 10).  If we attempt to account
for that along with the Christmas break, then 10 business days may turn
into a month.

So I don't mind adding an informal note "to be kind with respect to
holidays", but its exact meaning will vary and it should not affect the
maximum embargo period of 14 to 19 days.

> Agreed for the message format. Might want to
> add a list of tools/etc. that do pgp/mime so there is less of an excuse
> to do it improperly.

Feel free to add and maintain such a tools list on the wiki page.
I only know that Mutt works fine.

Thanks for your comments!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ