On Mon, Apr 24, 2006 at 09:54:11PM -0700, Don Armstrong wrote: > > Here we basically have two choices. Who's *we*? Have you talked to the security team or is this just wishful thinking? > 1. Certain people sign NDAs/agreements to get the early disclosure > information; in return they cannot disclose the information. We lose > transparency, but security bugs can be fixed before they're (widly) > known in the wild. The Security Team has not signed any NDA, but a requisite to be on vendor-sec [1] is to keep the confidentiality of the list. This has been the status quo for years, it makes sense in a world where the bad guys do reverse engineering of security patches to develop worms and exploits, and it helps the Security Team provide better security for our users (remember, SC #4). Javier [1] http://www.fedora.us/wiki/VendorSec
Attachment:
signature.asc
Description: Digital signature