Re: Rule for releasing fixes for embargoed bugs

[Dominique Martinet <asmadeus () codewreck org>]

Marcus Meissner wrote on Fri, Aug 17, 2018:
> There seems to be some miscommunation here, which should be directly
> clarified with the security team of the affected distribution(s).

You are correct, I will also send them an email.

> Rule of thumb is: when a vendor publishes updates for an issue, the issue
> is public and can be referenced publically. I do not understand why you
> would get push back unless there are communication problems.
>
> Also FWIW CVE-2018-3690 is an older reference to "Bounds Check Bypass Store",
> which is now tracked as CVE-2018-3693 and is public.

Thank you for the reference to the new CVE, I only had what was in the
package changelog to go with and none of the trackers I know about
reference CVE-2018-3690 as a duplicate/old name of CVE-2018-3693, so it
was confusing.
This is actually pretty reassuring that the rule is then appropriately
respected.

That being said, if CVE-2018-3693 is public there really is no reason to
say what they said in the discussions I have had with the RDMA folks, so
I will work to clear that up.


Thanks,
-- 
Dominique Martinet