Date: Wed, 21 Jun 2017 20:26:05 -0400 From: "Mike O'Connor" <mjo@...o.mi.org> To: oss-security@...ts.openwall.com Subject: Re: Qualys Security Advisory - The Stack Clash :Still, if OpenBSD was able to resolve the issues necessary after :notification without leaking full details to the public, shouldn't :this have been possible for the other projects without an embargo, Several open-source distros fixing the same flavor of issue in the same timeframe might've raised suspicions in a way that one distro alone wouldn't have. Heck, I've tracked down embargoed security issues just from what multiple closed source vendors documented in their release notes. :My take on the embargoing process (outside of what's already mentioned :on https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php ): :I've always been concerned by the fact that smaller distros seem to :be barred from distros-list membership; it seems the arrangement :lends itself too much to enabling the marketing of the larger :companies and in fact perhaps even disincentivizing their investment :in security as the embargo process enables them to skirt much of the :public pain they'd otherwise have to experience (for in this :instance what was a completely avoidable problem). I get the practical :reasons for the policy (increased leak risk, major distros often do :the actual fixing work, etc) but from a level of principle it's always :rubbed me the wrong way. In the past, I've proposed that the embargo mailing list archives themselves have an "embargo", after which they become public. That way, there's after-the-fact transparency, and it gives the folks who care a good idea of what happened. Is there anything sensitive at this point in, say, the March 2017 linux-distros archives?? -Mike -- Michael J. O'Connor mjo@...o.mi.org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Well done is better than well said." -Ben Franklin Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ