From owner-freebsd-security Tue Aug 6 3: 8:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4480937B400 for ; Tue, 6 Aug 2002 03:08:41 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5DA2043E75 for ; Tue, 6 Aug 2002 03:08:40 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 2939C535C; Tue, 6 Aug 2002 12:08:37 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Anatole Shaw Cc: freebsd-security@freebsd.org Subject: Re: advisory coordination (Re: SA-02:35) References: <1028312148.3d4acc54c5eef@webmail.vsi.ru> <20020806053237.A49851@kagnew.autoloop.com> From: Dag-Erling Smorgrav Date: 06 Aug 2002 12:08:36 +0200 In-Reply-To: <20020806053237.A49851@kagnew.autoloop.com> Message-ID: Lines: 31 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anatole Shaw writes: > I'm all for full-disclosure, but something is very wrong in these 2 cases. > Known security problems are being released in fragments without any > coordination. It seems that a basic Vulnerability Coordination function > is broken or missing, and surely we can fix this. What do you propose? Are you willing to, say, pay me to work full- time on FreeBSD security issues? The fact of the matter is that there's too much to do and too few people to do it - but adding more people to the team brings its own problems, such as the increasing possibility that one member of the team will break the trust put in us by CERT and vendors with whom we exchange information. Also, when you get to the bottom line, this is an open source project, and open source isn't good at secrecy. Black hats may be tipped off by patches on the FTP server, but they're just as likely to be tipped off by commit messages. A commit to a security branch is a dead giveaway that a security problem exists, yet we need time for QA and for commits to propagate to the CVSup mirrors, so advisories are not likely to be released less than about 24 hours after the corresponding commits. In the particular case of 02:35, we probably waited a bit too long. It was originally due out on Friday along with the revised 02:33, but there were still some unanswered questions about impact and possible workarounds, and 02:36 and 02:37 (which I wrote) weren't ready, so Jacques decided to hold 02:35 back and release all three on Monday. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message