Re: distros & linux-distros embargo period and message format

[Marc Deslauriers <marc.deslauriers () canonical com>]

On Thu, 2012-02-02 at 00:54 +0400, Solar Designer wrote:
> On Fri, Jan 20, 2012 at 01:44:45PM +0400, Solar Designer wrote:
> > http://oss-security.openwall.org/wiki/mailing-lists/distros
> >
> > to state the following:
> >
> > "Please note that the maximum acceptable embargo period for issues
> > disclosed to these lists is 14 to 19 days, with embargoes longer than 14
> > days (up to 19) allowed in case the issue is reported on a Thursday or a
> > Friday and the proposed coordinated disclosure date is thus adjusted to
> > fall on a Monday or (preferably) a Tuesday.  Please do not ask for a
> > longer embargo.  In fact, embargoes shorter than 14 days are preferable."
>
> I've just revised the last sentence above to say "In fact, embargo
> periods shorter than 7 days are preferable."
>
> Can we possibly afford to change the maximum to 7 to 11 days (depending
> on day of week)?  That is, 7 days is the standard maximum, up to 11 days
> is possible if the issue is reported on a Thursday or a Friday (only in
> these two cases).  I am for this change (in both my list member for
> Openwall and my list admin capacity).  What about others?

A week is a pretty short delay to prepare updates and perform the
necessary QA to get an issue out on time. Why are you pushing to get the
maximum reduced?

> (In fact, I'd prefer an even shorter maximum, but I am proposing what I
> think has a chance to be approved by others without making the list a
> lot less useful to them.)

Reducing the maximum will just result in having everyone miss the
embargo date and putting users at risk.

Marc.