Re: distros & linux-distros embargo period and message format

[Solar Designer <solar () openwall com>]

On Wed, Feb 01, 2012 at 07:29:05PM -0500, Marc Deslauriers wrote:
> This means vendors will be keeping information about the vulnerability
> private until they are confident they are able to release within a week,
> at which point they will then share the information with other vendors
> who will scramble to get their updates ready.

Yes, this is one of the things I expect to be happening, too.

You asked me "why", but not "why not" - and this matches our roles for
this discussion well. ;-)

> As a distro, I now have two choices: I sit on vulnerabilities until our
> own QA and testing is done, at which point I send them to the list and

Why can't you send to the list when you are half-way done, if 2 weeks
would have been enough for you normally?

> hope that 7 days is enough for everyone else, or I simply stop using the
> list for anything that's more than trivial and contact other vendors
> directly.

Another option: contact large vendors who need more time for QA first
(2 weeks before CRD), post to the list later (1 week before CRD).  There
are possibly just a few large vendors/distros who need this (I am
thinking Ubuntu, Red Hat, SUSE - and that might be all).

Also, when you post to the list, you're able to share more info with
other vendors (those on the list): not only info on the bug, but also
your patches (perhaps already partially tested), advisory draft, etc.
That way, it is easier for other vendors to be done in 1 more week.

Drawbacks:
- Large vendors gain an advantage.
- Fixes may be worse since no input is provided by other/smaller vendors
early on (e.g., I would not have a chance to identify a shortcoming in a
patch being tested by Ubuntu until the patch is already sent to QA, so
is too late to revise unless it fails QA).

Alexander