Date: Wed, 15 Oct 2014 12:30:42 +0400 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Looks like I need to comment on the specific questions on list policy: On Tue, Oct 14, 2014 at 10:48:00PM -0700, Walter Parker wrote: > What is this list's policy on Full Disclosure? Whatever is sent to the list, if on-topic and otherwise appropriate (e.g., not some non-English HTML-only message), is posted with no artificial delay. In this respect, the only difference from the Full-Disclosure mailing list (as far as I understand how it's run) is that oss-security is limited to / focused on Open Source. While the charter does discourage some kinds of postings, this is only being enforced for off-topic or technically inappropriate postings. http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines Specifically, this says (among other things): - Public security issues only please. What you say here is public for the world to see - keep that in mind. Some kinds of embargoed information (intended for public disclosure in at most 2 weeks) may be disclosed to distros. - Please don't send fully working exploits (but testcases that exercise the flaw are welcome) FWIW, I've always been tempted to remove the latter guideline, but as you can see I left it around for now. (Someone else in this community wrote it.) Like I said, these two guidelines above are not actually being enforced during message moderation. They're merely polite requests/reminders. > What is this list's policy on sourced/unsourced security rumors? No specific policy - I don't think it's ever been discussed so far. Personally, I'd like on-topic rumors to be posted in here, with due warnings on how unreliable the information might be. > Why do people on lists like this seem to think that censoring themselves > and others will actually do any good. There are a lot of people in here (as well as "on lists like this"), with different opinions. In this thread, we've only seen one person suggest anything like you describe. > On Tue, Oct 14, 2014 at 10:28 PM, Sona Sarmadi <sona.sarmadi@...a.com> wrote: > > A reflection: Maybe we shouldn't post information like this here or > > somewhere else which is not published yet even if the information has leak > > out? Although all members here are reliable but it is still an open mailing > > list and we should be careful and act more responsible. Personally, I find this ridiculous, as do many others. (No offense intended.) Just off Twitter: <i0n1c> Seriously? People are discussing on OSS if it is irresponsible to discuss SSL3 vulnerability while someone kept it under embargo. Of course, even having this sort of discussion makes us look ridiculous. Yet if a list member wanted to post this "reflection", it should have been posted, and it was. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.