Date: Mon, 4 Apr 2011 00:44:33 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list On Sun, Apr 03, 2011 at 01:23:26PM +0200, Miklos Vajna wrote: > Please subscribe me to the new list. I was a vendor-sec subscriber. I've tentatively subscribed you, for Frugalware. However, I am not convinced that you are / will be making sufficiently good use of the advance notifications on medium-severity security issues. I went to http://frugalware.org and here's what I saw: 1. There are recent non-security package updates (such as yesterday's). Great. 2. The latest "security announcement" is dated 2011-02-13, and it is for "opera". Slightly older ones are for "drupal6-mollom", "wireshark", "horde-webmail", "wordpress", and even more web apps stuff. Then we finally see an update to "kernel" on 2010-12-12. Surely a distro that supports running and even includes a web browser and popular web apps also includes lots of other stuff, common to other distros, however where are the security updates to those components for the last 3-4 months? There have been some security bugs in them, including many more in the kernel since 2010-12-12. I understand that it's hard to find time for all of the low and medium severity updates when you're just one person doing security response for a non-tiny distro, and I understand that you have a legitimate need for the info. I am just not convinced that the risk of "one more person" is justified when you haven't issued an update for 48 days (or so) whereas the suggested embargo period on the new list is up to 14 days. Yet you're on the list for now. Perhaps try to evaluate your use of the info that will be arriving to you through the list and ask to be unsubscribed if you determine that you're not making timely use of the info anyway. I must admit that we sometimes have the same problem at Openwall - non-critical security issues are sometimes not patched for a while, and we tended not to start preparing security updates for issues discussed on vendor-sec until the CRD was very close. We did the latter in part not to add to the risk of inadvertently disclosing the issue. This suggests that the embargoes were unnecessarily too long, though (for us at least). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.