Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 30 Mar 2024 15:37:27 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

On 2024-03-30, Marc Deslauriers wrote:
> That is the problem, having more eyes on a 0-day also means more eyes from 
> malicious entities. Neither having an embargo nor immediately posting publicly 
> are ideal solutions. There needs to be a compromise, and while I understand and 
> respect your point of view, I don't think we'll ever see eye-to-eye on what the 
> acceptable compromise should be.
>

Yeah, but your acceptable compromise *must* include Canonical having
advance knowledge of backdoors, correct?

There are a lot of other users and organizations out there, and I think
most of them also like having some agency, I know I do. If our roles
were reversed -- my organization was on distros and yours was not -- do
you think you would still be arguing for embargoes on backdoors?

Tavis.

-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso@....org
_\_V _( ) _( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.