Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 7 Oct 2014 09:05:40 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: Shellshocker - Repository of "Shellshock" Proof
 of Concept Code

On Tue, Oct 07, 2014 at 11:35:41AM +0400, Solar Designer wrote:

I'll reply to the more salient points.

> I am not saying I arrived at the above lesson.  Notice the word
> "arguably".  No change to distros list membership is being proposed.

OK. given these two comments:

> > In this case, it was because the right ones (as it turned out) of
> > the "many eyeballs" - Tavis and Michal - were not party to the
> > "selective disclosure"...Arguably, this suggests that we should
> > expand the distros list membership with security researchers who are
> > capable, willing, and have (paid?) time to review upcoming security
> > patches and the software being patched for possible other flaws
> > closely related to those being patched.

and 

> > Would immediate full disclosure of Shellshock have helped?  I doubt
> > it.

I assumed you leaned towards steps like expanding private lists versus
more rapid engagement of the broader community. As you say, you use
"arguably" so it would help if you'd clarify your position more
explicitely.

> Unfortunately, those same people were also less productive than usual
> at their other duties (including security-related) during this time
> period.

That's a fact of life: resources are constrained. The question isn't
whether there are 24 hours in the day but whether the overall good was
being maximized in an embargo framework or not.

> It sounds like it's obvious to you that we've seen a case of
> "over-use" of embargo and that "few" people "consider the negative
> effects".

In this case was embargo under-used? over-used? just right? I don't know
but one way to arrive at an answer is to consider things empirically.
How did the process evolve in practice? Did things improve (by various
metrics) post disclosure, or not, etc.

> Also, you're quoting only part of the context.  More context for Chet:
> http://www.openwall.com/lists/oss-security/2014/10/07/7

I added Chet because I was thanking him for his efforts and because he
has a unique perspective: how was working with the community and how did
things change for him, as upstream, pre and post disclosure. Thanks for
adding the link to the full message but I wasn't intentionally trying to
filter context.

--mancha

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.