[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Mon, Jun 10, 2002 at 02:21:10PM -0500, Manoj Srivastava wrote:
> 	The way security advisories are structured, and the people who
>  issue them are the ones making these rules, is that premature
>  dissemination of the information shall get you excluded from the
>  early warnings. That is going to be extremely detrimental to Debian
>  users. 
> 	In situations like this, one has to actually weigh the
>  ramifications of both alternatives, since there are pros and cons on
>  either path; selecting one con from one branch and concentrating on
>  it with blinkers on to hide the rest of the issue is not quite
>  productive. 

One thing I'm not entirely clear on: if the exploit is pre-announced to
our security team, with a public release date of X, but exploits and/or
announcements then show up "in public" (think: Bugtraq), on X-3, is Debian
still bound to not release patches/announcements/etc until X, or are we
generally permitted to do so under a typical NDA clause stating that if
the information becomes public in some other fashion, we can make full use
of it publically?

This may, of course, vary depending on who's announcing it, but I'd hate
to see the (not infrequent) situation of Bugtraq getting a jump on, say,
CERT, and Debian being bound by rules that don't permit us to release the
things we have under those circumstnaces.

And, of course, the NDAs could have exactly that clause, meaning that it
becomes a non-issue... but I'm curious as to whether they do.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: