[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

Previously Joel Baker wrote:
> One thing I'm not entirely clear on: if the exploit is pre-announced to
> our security team, with a public release date of X, but exploits and/or
> announcements then show up "in public" (think: Bugtraq), on X-3, is Debian
> still bound to not release patches/announcements/etc until X, or are we
> generally permitted to do so under a typical NDA clause stating that if
> the information becomes public in some other fashion, we can make full use
> of it publically?

If someone goes public everyone is free to release the information.

> This may, of course, vary depending on who's announcing it, but I'd hate
> to see the (not infrequent) situation of Bugtraq getting a jump on, say,
> CERT, and Debian being bound by rules that don't permit us to release the
> things we have under those circumstnaces.

CERT also has a policy to release after 30 days after they become aware
of an issue (except for unusual situations).


 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: