Re: libxml security fix from apple ... any information?

[Solar Designer <solar () openwall com>]

Jeffrey,

On Sat, Jul 30, 2011 at 01:50:40PM -0700, Jeffrey Czerniak wrote:
> We would like to cooperate with other downstream distributors of free and open source software on security issues, as 
> Apple is a major distributor of such software.  However, our previous attempts to engage the community have not been 
> successful.  One-way disclosure of information related to security issues subjects our customers to non-trivial risk 
> without providing any added security benefit.  This is particularly pertinent if the disclosure were to occur in 
> advance of the release of fixed software.

Is this a reference to the "closed list", which is currently Linux-only?

If so, are you saying that you would not share vulnerability information
with such a list ("one-way"), even for issues that you think are
relevant to Linux distro vendors, when Apple is not a member of the list?

I am merely asking for clarification because this is important info on
what communication channels should or should not exist and be in use.
I do not express any opinion.

FYI, my intent as linux-distros list admin has always been to have
specific non-Linux vendors informed if an issue is brought up that is
relevant to those vendors.  That's regardless of whether those vendors
similarly inform the Linux vendors or not.

I do recall and partially agree with Apple's argument that we would not
know which of the issues affect your products, though.

For example, when the libsoup issue was brought up recently, I insisted
that the reporter would also inform *BSD's.  I think that issue did not
affect Apple, did it?  No GNOME in your products, right?  (Not counting
third-party/unofficial builds.)

Thanks,

Alexander