Date: 06 Aug 2002 12:08:36 +0200 From: Dag-Erling Smorgrav <des@ofug.org> To: Anatole Shaw <shaw@autoloop.com> Cc: freebsd-security@freebsd.org Subject: Re: advisory coordination (Re: SA-02:35) Message-ID: <xzpznw0fgez.fsf@flood.ping.uio.no> In-Reply-To: <20020806053237.A49851@kagnew.autoloop.com> References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <xzpado0hp1h.fsf@flood.ping.uio.no> <20020806053237.A49851@kagnew.autoloop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Anatole Shaw <shaw@autoloop.com> writes: > I'm all for full-disclosure, but something is very wrong in these 2 cases. > Known security problems are being released in fragments without any > coordination. It seems that a basic Vulnerability Coordination function > is broken or missing, and surely we can fix this. What do you propose? Are you willing to, say, pay me to work full- time on FreeBSD security issues? The fact of the matter is that there's too much to do and too few people to do it - but adding more people to the team brings its own problems, such as the increasing possibility that one member of the team will break the trust put in us by CERT and vendors with whom we exchange information. Also, when you get to the bottom line, this is an open source project, and open source isn't good at secrecy. Black hats may be tipped off by patches on the FTP server, but they're just as likely to be tipped off by commit messages. A commit to a security branch is a dead giveaway that a security problem exists, yet we need time for QA and for commits to propagate to the CVSup mirrors, so advisories are not likely to be released less than about 24 hours after the corresponding commits. In the particular case of 02:35, we probably waited a bit too long. It was originally due out on Friday along with the revised 02:33, but there were still some unanswered questions about impact and possible workarounds, and 02:36 and 02:37 (which I wrote) weren't ready, so Jacques decided to hold 02:35 back and release all three on Monday. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpznw0fgez.fsf>