oss-sec mailing list archives
Re: accepting new members to (linux-)distros lists
From: Solar Designer <solar () openwall com>
Date: Wed, 28 Jun 2017 22:37:36 +0200
On Wed, Jun 28, 2017 at 09:22:21PM +0100, Simon McVittie wrote:
On Wed, 28 Jun 2017 at 22:02:40 +0200, Solar Designer wrote:Neither you nor others you inform may use the information for anything other than getting the issue fixed for your distro's users [etc.]To be clear, does this forbid bringing upstream maintainers into the loop to fix vulnerabilities or review fixes in the code that they maintain? (If it does, that seems likely to lead to bugs in the deployed fixes.)
It does, but what this really means is that you'll need to ask for the reporter's approval (as provided for in "until the agreed upon public disclosure date/time, the reporter's explicit approval, or substantially complete publication by others"). That's already the current practice. I think/hope we haven't been bringing upstreams into the loop without ensuring such approval by the reporter and lack of objections by other distros. Some upstreams would just commit the fix without coordination, which is both good and bad, but it certainly violates some reporters' reasonable expectations. Alexander
Current thread:
- accepting new members to (linux-)distros lists Solar Designer (Jun 28)
- Re: accepting new members to (linux-)distros lists Simon McVittie (Jun 28)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jun 28)
- Re: accepting new members to (linux-)distros lists Sven Dowideit (Jun 28)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jun 30)
- Re: accepting new members to (linux-)distros lists Seth Arnold (Jun 30)
- Re: accepting new members to (linux-)distros lists Solar Designer (Jun 30)
- Re: accepting new members to (linux-)distros lists Seth Arnold (Jun 30)
- Re: accepting new members to (linux-)distros lists Simon McVittie (Jun 28)