Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jun 2017 20:26:05 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: Qualys Security Advisory - The Stack Clash

:Still, if OpenBSD was able to resolve the issues necessary after 
:notification without leaking full details to the public, shouldn't 
:this have been possible for the other projects without an embargo, 

Several open-source distros fixing the same flavor of issue in the
same timeframe might've raised suspicions in a way that one distro
alone wouldn't have.  Heck, I've tracked down embargoed security
issues just from what multiple closed source vendors documented in
their release notes.

:My take on the embargoing process (outside of what's already mentioned
:on https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php ):
:I've always been concerned by the fact that smaller distros seem to 
:be barred from distros-list membership; it seems the arrangement 
:lends itself too much to enabling the marketing of the larger 
:companies and in fact perhaps even disincentivizing their investment 
:in security as the embargo process enables them to skirt much of the 
:public pain they'd otherwise have to experience (for in this 
:instance what was a completely avoidable problem).  I get the practical
:reasons for the policy (increased leak risk, major distros often do
:the actual fixing work, etc) but from a level of principle it's always
:rubbed me the wrong way.

In the past, I've proposed that the embargo mailing list archives
themselves have an "embargo", after which they become public.  That
way, there's after-the-fact transparency, and it gives the folks who
care a good idea of what happened.  Is there anything sensitive at
this point in, say, the March 2017 linux-distros archives??   

-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Well done is better than well said."                           -Ben Franklin

Download attachment "signature.asc" of type "application/pgp-signature" (188 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ