oss-sec mailing list archives
Re: libxml security fix from apple ... any information?
From: Solar Designer <solar () openwall com>
Date: Sun, 31 Jul 2011 01:27:21 +0400
Jeffrey, On Sat, Jul 30, 2011 at 01:50:40PM -0700, Jeffrey Czerniak wrote:
We would like to cooperate with other downstream distributors of free and open source software on security issues, as Apple is a major distributor of such software. However, our previous attempts to engage the community have not been successful. One-way disclosure of information related to security issues subjects our customers to non-trivial risk without providing any added security benefit. This is particularly pertinent if the disclosure were to occur in advance of the release of fixed software.
Is this a reference to the "closed list", which is currently Linux-only? If so, are you saying that you would not share vulnerability information with such a list ("one-way"), even for issues that you think are relevant to Linux distro vendors, when Apple is not a member of the list? I am merely asking for clarification because this is important info on what communication channels should or should not exist and be in use. I do not express any opinion. FYI, my intent as linux-distros list admin has always been to have specific non-Linux vendors informed if an issue is brought up that is relevant to those vendors. That's regardless of whether those vendors similarly inform the Linux vendors or not. I do recall and partially agree with Apple's argument that we would not know which of the issues affect your products, though. For example, when the libsoup issue was brought up recently, I insisted that the reporter would also inform *BSD's. I think that issue did not affect Apple, did it? No GNOME in your products, right? (Not counting third-party/unofficial builds.) Thanks, Alexander
Current thread:
- libxml security fix from apple ... any information? Marcus Meissner (Jul 28)
- Re: libxml security fix from apple ... any information? Huzaifa Sidhpurwala (Jul 28)
- Re: libxml security fix from apple ... any information? Billy Rios (Jul 28)
- Re: Re: libxml security fix from apple ... any information? Thomas Biege (Jul 29)
- Re: Re: libxml security fix from apple ... any information? Moritz Muehlenhoff (Jul 29)
- Re: Re: libxml security fix from apple ... any information? Jeffrey Czerniak (Jul 30)
- Re: libxml security fix from apple ... any information? Solar Designer (Jul 30)
- Re: Re: libxml security fix from apple ... any information? Thomas Biege (Jul 29)
- Re: libxml security fix from apple ... any information? Daniel Veillard (Aug 04)