oss-sec mailing list archives
Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Sat, 30 Mar 2024 11:58:04 -0400
On 2024-03-30 11:37, Tavis Ormandy wrote:
On 2024-03-30, Marc Deslauriers wrote:That is the problem, having more eyes on a 0-day also means more eyes from malicious entities. Neither having an embargo nor immediately posting publicly are ideal solutions. There needs to be a compromise, and while I understand and respect your point of view, I don't think we'll ever see eye-to-eye on what the acceptable compromise should be.Yeah, but your acceptable compromise *must* include Canonical having advance knowledge of backdoors, correct?
Not necessarily. For example, I don't have access to embargoed Chrome 0-days before the updates come out, and a lot of other folks don't either. Should all Chrome 0-days be public before the updates are available? Are you advocating for this?
There are a lot of other users and organizations out there, and I think most of them also like having some agency, I know I do. If our roles were reversed -- my organization was on distros and yours was not -- do you think you would still be arguing for embargoes on backdoors?
I'm not necessarily arguing for embargoes on backdoors, I'm saying that posting publicly about it before even knowing what it was would have resulted in a worse outcome. That's my opinion, you may think it's a wrong.
Perhaps the question here is why isn't your organization on one of the multitude of places where this issue was discussed in private for a few hours, and where it was decided that this should be public?
Marc.
Current thread:
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise, (continued)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Liguori, Anthony (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Russ Allbery (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 29)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 29)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marcin Wolcendorf (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Marc Deslauriers (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Tavis Ormandy (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bo Anderson (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Loganaden Velvindron (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Bjoern Franke (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pierre-Elliott Bécue (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jeffrey Walton (Mar 30)
- Re: backdoor in upstream xz/liblzma leading to ssh server compromise Solar Designer (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Mats Wichmann (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Jan Engelhardt (Mar 30)
- Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise Pat Gunn (Mar 30)