|
Date: Thu, 2 Feb 2012 08:54:50 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: distros & linux-distros embargo period and message format On Wed, Feb 01, 2012 at 09:17:39PM -0700, Kurt Seifried wrote: > Is something changing to significantly increase this risk that > we (the community) are unaware of? As far as I'm aware, no - it's all the same concerns and reasoning that we had e.g. 10 years ago. > You allude to: > > "Why I am making this proposal now: this is triggered by a certain > off-list discussion I just had; unfortunately, the other party does not > permit me to post more about it." > > Which is awfully vague. Unfortunately, yes. Well, I can add that it's just a person's negative opinion on what we're doing with these closed lists, with reasoning - and nothing more. > I think it's important for there to be openness, > transparency and honesty in this process or else it won't work. I fully agree. However, when someone e-mails potentially helpful comments to me yet does not permit me to post them to the list, what options do I have? Stop the discussion right there - either we discuss this in public or not at all? I guess for some topics I would do just that, but I felt that this one did not cross that line. > Like you > pointed out earlier vendors may choose to stop playing together, which > would REALLY not be good for the vendors or the Open Source community > long term. That's my opinion too. Yet I needed to bring the topic up. I was not 100% sure that some vendors currently on the list would find 7-11 days unacceptable. Being 90% sure was not enough. I've noticed a decrease in embargo periods over time - I think for vendor-sec the average might have been 14 days if not more, whereas now it might be down to 10-12 days or so (excluding the hash DoS thing). So we turned the old average into the new maximum. I thought that maybe we were ready for the "next level" - but it seems not. Maybe later? Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.