Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170628203736.GA27171@openwall.com>
Date: Wed, 28 Jun 2017 22:37:36 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: accepting new members to (linux-)distros lists

On Wed, Jun 28, 2017 at 09:22:21PM +0100, Simon McVittie wrote:
> On Wed, 28 Jun 2017 at 22:02:40 +0200, Solar Designer wrote:
> > Neither you nor others you inform may use the information for anything
> > other than getting the issue fixed for your distro's users [etc.]
> 
> To be clear, does this forbid bringing upstream maintainers into the loop
> to fix vulnerabilities or review fixes in the code that they maintain?
> 
> (If it does, that seems likely to lead to bugs in the deployed fixes.)

It does, but what this really means is that you'll need to ask for the
reporter's approval (as provided for in "until the agreed upon public
disclosure date/time, the reporter's explicit approval, or substantially
complete publication by others").  That's already the current practice.

I think/hope we haven't been bringing upstreams into the loop without
ensuring such approval by the reporter and lack of objections by other
distros.  Some upstreams would just commit the fix without coordination,
which is both good and bad, but it certainly violates some reporters'
reasonable expectations.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.