Date: Tue, 5 Apr 2011 17:31:29 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: Closed list On Tue, Apr 05, 2011 at 09:52:10AM +0100, Benji wrote: > Fixing issues secretly is definitely a no-go in my book. I think you're mixing up distinct things: 1. Fixing security bugs secretly, then releasing the fixed software without notifying others of the fixes. 2. Fixing security bugs secretly, then releasing the fixed software along with information on the fixes on the coordinated release date. I think #1 has worse drawbacks than #2. I think that with the current state of the community/industry/technology, we should avoid #1, but we can do #2. Is your opinion on #2 different, and why? > It will and clearly > has, created hostility between different developer groups and those that are > allowed in and those that aren't. Unfortunately, yes, both #1 and #2 may create hostility. > >>However, my proposal, which I am going to try to enforce, is to only > >>discuss medium-severity issues on this new list. I think that an > >>embargo period of 1-2 days does not make sense for those; if that's all > >>we can afford, we can as well make them public right away. > > So.... if this list isnt for high-severity issues what is the point of it? > Why not use OSS-Sec. For low-severity issues, I propose that we use oss-security right away. I propose that we use the new closed list(s) for medium-severity issues, where immediate disclosure on oss-security could do some harm. In this context, I propose to use overall severity defined as the product of risk probability and risk impact. Of course, we'll use guesstimates. > I thought the only way this el8 mailing list was even > justified was the fact that the vulnerabilities were mission-critical and > the POCs for these vulnerabilities would potentially lead to throwing us > back into the ice-ages. That's not my justification. In those special cases, I'd try to see who is affected before sending out the detail. However, the list may in fact be useful to probe for affected vendors/distros - post a heads up, with no detail on the issue, and ask to contact the reporter for detail. Also, propose a much shorter embargo period (than is usual for the list). vendor-sec was used like that on some occasions, and I think it was an improvement over mailing the same heads up to an arbitrary subset of distros, which happens in the absence of such a list. > >>That said, I agree that a closed list should be a last resort, to be > >>used whenever other options are determined to be less appropriate for a > >>particular security issue. Unfortunately, this determination is usually > >>made by just one person (whoever brings the issue to the list), so it is > >>likely to sometimes be "wrong". > > So why are you using a last resort for 'medium-severity issues'? The key words above were: "whenever other options are determined to be less appropriate". "Less appropriate" does not mean that it would be the end of the world if the issue were disclosed publicly right away. Things would just be worse, in the reporter's opinion. So we provide a convenient way for one distro to share info (or just a heads up) with other likely-affected distros. In the absence of such a list, the reporter would likely end up notifying an arbitrary subset of the distros. > Currently, from what you've said, it seems like you're trying to, as some > people apparently correctly feared, an elite mailing list where you can all > boost your egos and, excuse the term for lack of a better one, 'circlejerk'. I fail to see what in this discussion thread makes you arrive at that conclusion, other than presumably you readily having this opinion of any closed discussion groups. If that's not the case, then can you name a closed discussion group that you would not categorize that way, and explain why not? This might help me and others understand you better. > Question; now that vendor-sec has been compromised, I suppose we can expect > a full public archive of all the emails? Maybe, or maybe not. This may happen if someone just goes ahead and posts it publicly. Other than that, making it public in an ethical fashion feels unrealistic (we'd need to ask everyone who has ever posted to the list). I get your point, though: if we're not treating e-mail addresses as private, then why are we treating the vendor-sec archive as such? My answers to this: We're not actually posting the vendor-sec members list; everyone who wanted to join the new list posted to this thread on their own. On the other hand, I would not be surprised if a decision is made to post the vendor-sec members list. It is in fact not as private as the messages themselves. (I don't know if there's even a complete archive of vendor-sec anywhere.) Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.