Re: The New Security Build Infrastructure
Previously Joel Baker wrote:
> One thing I'm not entirely clear on: if the exploit is pre-announced to
> our security team, with a public release date of X, but exploits and/or
> announcements then show up "in public" (think: Bugtraq), on X-3, is Debian
> still bound to not release patches/announcements/etc until X, or are we
> generally permitted to do so under a typical NDA clause stating that if
> the information becomes public in some other fashion, we can make full use
> of it publically?
If someone goes public everyone is free to release the information.
> This may, of course, vary depending on who's announcing it, but I'd hate
> to see the (not infrequent) situation of Bugtraq getting a jump on, say,
> CERT, and Debian being bound by rules that don't permit us to release the
> things we have under those circumstnaces.
CERT also has a policy to release after 30 days after they become aware
of an issue (except for unusual situations).
/email@example.com This space intentionally left occupied \
| firstname.lastname@example.org http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org