Re: Qualys Security Advisory - The Stack Clash

["Mike O'Connor" <mjo () dojo mi org>]

:Still, if OpenBSD was able to resolve the issues necessary after 
:notification without leaking full details to the public, shouldn't 
:this have been possible for the other projects without an embargo, 

Several open-source distros fixing the same flavor of issue in the
same timeframe might've raised suspicions in a way that one distro
alone wouldn't have.  Heck, I've tracked down embargoed security
issues just from what multiple closed source vendors documented in
their release notes.

:My take on the embargoing process (outside of what's already mentioned
:on https://grsecurity.net/an_ancient_kernel_hole_is_not_closed.php ):
:I've always been concerned by the fact that smaller distros seem to 
:be barred from distros-list membership; it seems the arrangement 
:lends itself too much to enabling the marketing of the larger 
:companies and in fact perhaps even disincentivizing their investment 
:in security as the embargo process enables them to skirt much of the 
:public pain they'd otherwise have to experience (for in this 
:instance what was a completely avoidable problem).  I get the practical
:reasons for the policy (increased leak risk, major distros often do
:the actual fixing work, etc) but from a level of principle it's always
:rubbed me the wrong way.

In the past, I've proposed that the embargo mailing list archives
themselves have an "embargo", after which they become public.  That
way, there's after-the-fact transparency, and it gives the folks who
care a good idea of what happened.  Is there anything sensitive at
this point in, say, the March 2017 linux-distros archives??   

-Mike

-- 
 Michael J. O'Connor                                          mjo () dojo mi org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Well done is better than well said."                           -Ben Franklin

Attachment: signature.asc
Description: