Re: Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Marc Deslauriers <marc.deslauriers () canonical com>]

On 2024-03-30 11:37, Tavis Ormandy wrote:
> On 2024-03-30, Marc Deslauriers wrote:
> > That is the problem, having more eyes on a 0-day also means more eyes from
> > malicious entities. Neither having an embargo nor immediately posting publicly
> > are ideal solutions. There needs to be a compromise, and while I understand and
> > respect your point of view, I don't think we'll ever see eye-to-eye on what the
> > acceptable compromise should be.
>
> Yeah, but your acceptable compromise *must* include Canonical having
> advance knowledge of backdoors, correct?

Not necessarily. For example, I don't have access to embargoed Chrome 0-days 
before the updates come out, and a lot of other folks don't either. Should all 
Chrome 0-days be public before the updates are available? Are you advocating for 
this?

> There are a lot of other users and organizations out there, and I think
> most of them also like having some agency, I know I do. If our roles
> were reversed -- my organization was on distros and yours was not -- do
> you think you would still be arguing for embargoes on backdoors?

I'm not necessarily arguing for embargoes on backdoors, I'm saying that posting 
publicly about it before even knowing what it was would have resulted in a worse 
outcome. That's my opinion, you may think it's a wrong.

Perhaps the question here is why isn't your organization on one of the multitude 
of places where this issue was discussed in private for a few hours, and where 
it was decided that this should be public?

Marc.