Date: Tue, 7 Oct 2014 14:43:43 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: chet.ramey@...e.edu Subject: Re: Shellshocker - Repository of "Shellshock" Proof of Concept Code On Tue, Oct 07, 2014 at 09:05:40AM +0000, mancha wrote: > it would help if you'd clarify your position more explicitely. I recognize that embargoes are not necessarily beneficial overall and they have clear drawbacks and may be unfair to some (hence my easy adoption of the opponents' term "selective disclosure" despite of its negative connotation), yet I think that sometimes they are in fact beneficial overall, and I have little or no control over whether they are imposed by the reporter of an issue. For now, I intend to continue hosting the distros list as a tool to facilitate safer handling and discussion of embargoed issues between representatives of the (selected) distros. I suggest and ask that existing members of the distros list try to volunteer extra time to review proposed patches and the software being patched for possible related flaws. I doubt that this suggestion and request will change things much, but it "costs" nothing in terms of extra risks or slippery slopes (which would be a concern if we start adding non-distro security researchers to the list), so we have nothing to lose by asking. In case of Shellshock, there wasn't a clear enough opportunity for distros list members to change how the vulnerability would be fixed pre-disclosure, but I mean the above in general. A related aspect is that the distros list is currently specified as being intended for medium overall severity issues. The rationale behind this is that low severity issues don't need embargoes, and high severity issues are worthy of special handling where they are to be disclosed to affected distros only rather than to all at once. I think it's the latter aspect which correctly prompted Florian to post just a heads-up to the distros list, requiring that affected distros who actually intend to work on the issue within the allotted 2 days actively request the information. Unfortunately, this approach, while safer against leaks, precludes pre-disclosure reviews by distros who do not feel they require to patch the issue for themselves before it becomes public. Maybe this implies that those distros' representatives would not care to review the patch anyway, or maybe not. Possibly more importantly, it precludes discussion of high severity issues between distros on the distros list, if those issues were (correctly) only announced in the form of heads-up messages requiring direct contact for detail. I think an exception needs to be made to encourage discussion of high severity issues taking advantage of the distros list PGP-re-encryption when that is expected to be beneficial, although unfortunately that is hard to know in advance. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.