Date: Thu, 2 Feb 2012 00:54:59 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: distros & linux-distros embargo period and message format On Fri, Jan 20, 2012 at 01:44:45PM +0400, Solar Designer wrote: > http://oss-security.openwall.org/wiki/mailing-lists/distros > > to state the following: > > "Please note that the maximum acceptable embargo period for issues > disclosed to these lists is 14 to 19 days, with embargoes longer than 14 > days (up to 19) allowed in case the issue is reported on a Thursday or a > Friday and the proposed coordinated disclosure date is thus adjusted to > fall on a Monday or (preferably) a Tuesday. Please do not ask for a > longer embargo. In fact, embargoes shorter than 14 days are preferable." I've just revised the last sentence above to say "In fact, embargo periods shorter than 7 days are preferable." Can we possibly afford to change the maximum to 7 to 11 days (depending on day of week)? That is, 7 days is the standard maximum, up to 11 days is possible if the issue is reported on a Thursday or a Friday (only in these two cases). I am for this change (in both my list member for Openwall and my list admin capacity). What about others? (In fact, I'd prefer an even shorter maximum, but I am proposing what I think has a chance to be approved by others without making the list a lot less useful to them.) Also, I added the following to the wiki page: "Please note that any/all list postings may be made public once the corresponding security issue is publicly disclosed, so please do not post information that you want to stay private forever." with a footnote that says: "There was/is intent to be making all list postings public with a delay, which is currently not yet implemented for technical reasons, but it may be implemented and applied retroactively - that is, including to past postings." Those "technical reasons" are me not being aware of a program to mass-decrypt an mbox with PGP/MIME messages (producing an mbox with decrypted messages). I'd appreciate it if someone finds or writes this program. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ