oss-sec mailing list archives
Re: Closed list
From: Solar Designer <solar () openwall com>
Date: Mon, 4 Apr 2011 00:44:33 +0400
On Sun, Apr 03, 2011 at 01:23:26PM +0200, Miklos Vajna wrote:
Please subscribe me to the new list. I was a vendor-sec subscriber.
I've tentatively subscribed you, for Frugalware. However, I am not convinced that you are / will be making sufficiently good use of the advance notifications on medium-severity security issues. I went to http://frugalware.org and here's what I saw: 1. There are recent non-security package updates (such as yesterday's). Great. 2. The latest "security announcement" is dated 2011-02-13, and it is for "opera". Slightly older ones are for "drupal6-mollom", "wireshark", "horde-webmail", "wordpress", and even more web apps stuff. Then we finally see an update to "kernel" on 2010-12-12. Surely a distro that supports running and even includes a web browser and popular web apps also includes lots of other stuff, common to other distros, however where are the security updates to those components for the last 3-4 months? There have been some security bugs in them, including many more in the kernel since 2010-12-12. I understand that it's hard to find time for all of the low and medium severity updates when you're just one person doing security response for a non-tiny distro, and I understand that you have a legitimate need for the info. I am just not convinced that the risk of "one more person" is justified when you haven't issued an update for 48 days (or so) whereas the suggested embargo period on the new list is up to 14 days. Yet you're on the list for now. Perhaps try to evaluate your use of the info that will be arriving to you through the list and ask to be unsubscribed if you determine that you're not making timely use of the info anyway. I must admit that we sometimes have the same problem at Openwall - non-critical security issues are sometimes not patched for a while, and we tended not to start preparing security updates for issues discussed on vendor-sec until the CRD was very close. We did the latter in part not to add to the risk of inadvertently disclosing the issue. This suggests that the embargoes were unnecessarily too long, though (for us at least). Alexander
Current thread:
- Re: Closed list, (continued)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Elliot Peele (Apr 02)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Miklos Vajna (Apr 03)
- Re: Closed list AK (Apr 03)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list ksha (Apr 04)
- Re: Closed list Solar Designer (Apr 04)
- Re: Closed list phocean (Apr 04)
- Re: Closed list Dmitry V. Levin (Apr 04)
- Re: Closed list AK (Apr 03)
- Re: Closed list Miklos Vajna (Apr 04)
- Re: Closed list Solar Designer (Apr 06)
- Re: Closed list Miklos Vajna (May 27)
- Re: Closed list Solar Designer (Apr 03)
- Re: Closed list Mark J Cox (Apr 04)
- Re: Closed list Marcus Meissner (Apr 04)
- Re: Closed list Marc Deslauriers (Apr 04)
- Re: Closed list Jamie Strandboge (Apr 05)
- Re: Closed list Solar Designer (Apr 05)