Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Feb 2012 00:54:59 +0400
From: Solar Designer <>
Subject: Re: distros & linux-distros embargo period and message format

On Fri, Jan 20, 2012 at 01:44:45PM +0400, Solar Designer wrote:
> to state the following:
> "Please note that the maximum acceptable embargo period for issues
> disclosed to these lists is 14 to 19 days, with embargoes longer than 14
> days (up to 19) allowed in case the issue is reported on a Thursday or a
> Friday and the proposed coordinated disclosure date is thus adjusted to
> fall on a Monday or (preferably) a Tuesday.  Please do not ask for a
> longer embargo.  In fact, embargoes shorter than 14 days are preferable."

I've just revised the last sentence above to say "In fact, embargo
periods shorter than 7 days are preferable."

Can we possibly afford to change the maximum to 7 to 11 days (depending
on day of week)?  That is, 7 days is the standard maximum, up to 11 days
is possible if the issue is reported on a Thursday or a Friday (only in
these two cases).  I am for this change (in both my list member for
Openwall and my list admin capacity).  What about others?

(In fact, I'd prefer an even shorter maximum, but I am proposing what I
think has a chance to be approved by others without making the list a
lot less useful to them.)

Also, I added the following to the wiki page:

"Please note that any/all list postings may be made public once the
corresponding security issue is publicly disclosed, so please do not
post information that you want to stay private forever."

with a footnote that says:

"There was/is intent to be making all list postings public with a delay,
which is currently not yet implemented for technical reasons, but it may
be implemented and applied retroactively - that is, including to past

Those "technical reasons" are me not being aware of a program to
mass-decrypt an mbox with PGP/MIME messages (producing an mbox with
decrypted messages).  I'd appreciate it if someone finds or writes
this program.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ