Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Apr 2015 18:14:08 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: USBCreator D-Bus service

On Wed, Apr 22, 2015 at 05:50:35PM -0700, Tavis Ormandy wrote:
> > We treat local root escalation vulnerabilities with a high priority[1].
> 
> I wish you had spoken up during the previous discussion. It was my
> impression that embargoes for local privilege escalations were universally
> considered deprecated.

Believe me, I would have spoken up had I noticed any concensus forming
around that idea in the previous discussions; I don't recall seeing it.

Anywhere, here we are, I'm speaking up now. Local root is still important
to us.

> Embargoes tend to make things worse, see your apport patch developed during
> embargo or shellshock for examples. However, if you're sure, I'm willing to
> do so for Ubuntu specific bugs in future.

I still believe reasonable length embargoes help more than they hurt; the
failures are more obvious than the successes.

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ