Date: Thu, 26 Jun 2014 21:15:05 -0600 From: "Don A. Bailey" <donb@...uritymouse.com> To: oss-security@...ts.openwall.com Subject: Re: LMS-2014-06-16-1: Oberhumer LZO Totally understand. Not a problem at all, I thought I should just offer my perspective for this list, as they were not on the Linux kernel thread, nor the distros thread. :-) I'm very happy to hear you agree that negative impact was minimal. D On Thu, Jun 26, 2014 at 9:10 PM, Solar Designer <solar@...nwall.com> wrote: > Don, > > On Thu, Jun 26, 2014 at 02:37:47PM -0600, Don A. Bailey wrote: > > I chose not to release the bug reports to the public within the timeframe > > suggested by Solar for several reasons: > > 1) I have deep visibility into the vulnerable code and understand the > > constraints of exploitation and the breadth > > 2) The public exposure was non-obvious, and was not advertised by the > > vendor > > 3) The most widely effected vendors (Linux and Oberhumer) had yet to > > release a patch publicly > > 4) The time between exposure and public release was short enough to > > negative exposure > > Thank you for providing this reasoning. > > > My job, as I saw it, was to responsibly coordinate word between all > > parties. I did that as best as I could given the teams, their time zones, > > their understanding of the bug, and their speed. > > > > All in all, I think it worked out OK, and I am satisfied with the result > > thus far. There are things that could have gone better, but over all each > > team worked hard to produce solid patches in a reasonable time frame. We > > hit that goal. > > I am also of the opinion that everyone did their best, and that's great. > > I think actual negative impact of the delay is small or non-existent. > However, I felt we must have posted these additional comments on the > disclosure process in here, because it deviated from what's normally > expected for issues disclosed to the distros list: > > > http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists > > "When the security issue is finally to be made public, it is your (the > original reporter's) responsibility to post about it to oss-security > (indeed, you and others may also post to any other mailing lists, etc.)" > > I am tempted to add "on the same day" after "to oss-security", since > this is what we expect (and what usually happens), but there may be > occasional exceptions like this, so maybe we leave the wording as-is? > > Alexander >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ