oss-sec mailing list archives
Re: membership request to the closed linux-distros security mailing list
From: Florian Weimer <fw () deneb enyo de>
Date: Sun, 22 Mar 2015 12:44:37 +0100
* Stuart Henderson:
On 2015/03/20 08:16, Anthony Liguori wrote:I think the alternative is to formalize what already appears to be the existing practice: disclose distros@ on the existence of a vulnerability but require direct contact for the details of the vulnerability if the submitter/upstream thinks the impact is high.Are private lists even needed if this policy is taken?
Yes, it is. Often, things are bad enough that just looking at the software for five minutes is sufficient to rediscover the vulnerability. Or maybe a couple of different vulnerabilities with similar impact. There's also interaction with CVE assignment. The current, working assignment process requires short embargoes at least. And a certain subset of reporters cares about the CVE assignment above anything else because it's a widely-accepted metric for having found something, which in turn indicates that the reporters have done their job. I think we can and should reduce the number of embargoes, but we'd have to address the CVE assignment process for public issues at the same time. Reducing the number of embargoes would also help those quasi-proprietary vendors and show them that building upstream relationships and tracking their software portfolio are the key tasks, and not getting a few days advance notice for vulnerabilities. Most GNU/Linux distributions can fix about anything that's fixable at all within two or three weeks (and that includes the analysis required to actually understand the bug). Most quasi-proprietary vendors work on totally different time scales, and even if they do not have to do the analysis themselves, a few weeks is nothing to them. But here's another perspective. Lior Kaplan writes, “Even if the issue isn't severe, upstream should get a fair chance to fix issue before making them public.” <https://liorkaplan.wordpress.com/2015/03/19/cve-assignment-without-upstream-knowledge/>
Current thread:
- membership request to the closed linux-distros security mailing list Sona Sarmadi (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Solar Designer (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Stuart Henderson (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Marcus Meissner (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Daniel Micay (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Kurt Seifried (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Solar Designer (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Florian Weimer (Mar 22)
- Re: membership request to the closed linux-distros security mailing list Alan Coopersmith (Mar 20)