oss-sec mailing list archives
Re: Qualys Security Advisory - The Stack Clash
From: "Mike O'Connor" <mjo () dojo mi org>
Date: Wed, 21 Jun 2017 20:26:05 -0400
:Still, if OpenBSD was able to resolve the issues necessary after :notification without leaking full details to the public, shouldn't :this have been possible for the other projects without an embargo, Several open-source distros fixing the same flavor of issue in the same timeframe might've raised suspicions in a way that one distro alone wouldn't have. Heck, I've tracked down embargoed security issues just from what multiple closed source vendors documented in their release notes. :My take on the embargoing process (outside of what's already mentioned :on https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php ): :I've always been concerned by the fact that smaller distros seem to :be barred from distros-list membership; it seems the arrangement :lends itself too much to enabling the marketing of the larger :companies and in fact perhaps even disincentivizing their investment :in security as the embargo process enables them to skirt much of the :public pain they'd otherwise have to experience (for in this :instance what was a completely avoidable problem). I get the practical :reasons for the policy (increased leak risk, major distros often do :the actual fixing work, etc) but from a level of principle it's always :rubbed me the wrong way. In the past, I've proposed that the embargo mailing list archives themselves have an "embargo", after which they become public. That way, there's after-the-fact transparency, and it gives the folks who care a good idea of what happened. Is there anything sensitive at this point in, say, the March 2017 linux-distros archives?? -Mike -- Michael J. O'Connor mjo () dojo mi org =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--= "Well done is better than well said." -Ben Franklin
Attachment:
signature.asc
Description:
Current thread:
- Re: Qualys Security Advisory - The Stack Clash, (continued)
- Re: Qualys Security Advisory - The Stack Clash kseifried () redhat com (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Qualys Security Advisory (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Florian Weimer (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Daniel Micay (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Brad Spengler (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Mike O'Connor (Jun 22)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Kurt Seifried (Jun 23)
- Re: Qualys Security Advisory - The Stack Clash Solar Designer (Jun 24)
- Re: Qualys Security Advisory - The Stack Clash PaX Team (Jun 21)
- Re: Qualys Security Advisory - The Stack Clash Jeff Law (Jun 21)