Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Sep 2009 07:18:26 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net>, dgoodin@theregister.com
Cc:        freebsd-questions@freebsd.org
Subject:   Re: reporter on deadline seeks comment about reported security bug in FreeBSD
Message-ID:  <20090915071826.a273c4fa.wmoran@potentialtech.com>
In-Reply-To: <200909150122.43566.mel.flynn%2Bfbsd.questions@mailing.thruhere.net>
References:  <4AAE95B2.5050409@sitpub.com> <d7195cff0909141413g3f835bbeq4dc4d7b23872e043@mail.gmail.com> <20090914214642.GA12828@Grumpy.DynDNS.org> <200909150122.43566.mel.flynn%2Bfbsd.questions@mailing.thruhere.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Mel Flynn <mel.flynn+fbsd.questions@mailing.thruhere.net> wrote:
>
> On Monday 14 September 2009 23:46:42 David Kelly wrote:
> > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai@gmail.com wrote:
> > > Am 2009/9/14 Dan Goodin <dgoodin@sitpub.com> writhed:
> > > > Hello,
> > > >
> > > > Dan Goodin, a reporter at technology news website The Register.
> > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4
> > > > of FreeBSD has a security bug. He says he notified the FreeBSD
> > > > Foundation on August 29 and never got a response. We'll be writing a
> > > > brief article about this. Please let me know ASAP if someone cares to
> > > > comment.
> > >
> > > Has anyone submitted a PR about this?
> > 
> > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not
> > submitted then one has *not* informed the Powers That Be.
> 
> Wrong. Security bugs should be reported to the security team, not PR'd.

It's typical for security issues to be kept hushed until a fix is ready.
As a result, there are usually no PRs, and in the case where the person
who discovered the problem is amenable, there is no public discussion at
all until a fix is available.

Apparently, Mr. Frasunek started out down that path, which is admirable.
It seems as if he doesn't have much patience, however, since he thinks
that only 2 weeks is enough time to fix a security problem and QA the fix.

-- 
Bill Moran
http://www.potentialtech.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090915071826.a273c4fa.wmoran>