Re: The New Security Build Infrastructure

To: debian-devel@lists.debian.org
Subject: Re: The New Security Build Infrastructure
From: Wichert Akkerman <wichert@wiggy.net>
Date: Tue, 11 Jun 2002 00:31:09 +0200
Message-id: <[🔎] 20020610223109.GL6077@wiggy.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20020610153309.A28687@lightbearer.com>
References: <20020608082646.GA14111@azure.humbug.org.au> <[🔎] 87vg8to3ng.fsf@CERT.Uni-Stuttgart.DE> <[🔎] 20020608215616.GA22045@clothcat.demon.co.uk> <[🔎] 87bsakthj9.fsf@luminous.mit.edu> <[🔎] 87zny3kkih.fsf@glaurung.green-gryphon.com> <[🔎] 20020610153309.A28687@lightbearer.com>

Previously Joel Baker wrote:
> One thing I'm not entirely clear on: if the exploit is pre-announced to
> our security team, with a public release date of X, but exploits and/or
> announcements then show up "in public" (think: Bugtraq), on X-3, is Debian
> still bound to not release patches/announcements/etc until X, or are we
> generally permitted to do so under a typical NDA clause stating that if
> the information becomes public in some other fashion, we can make full use
> of it publically?

If someone goes public everyone is free to release the information.

> This may, of course, vary depending on who's announcing it, but I'd hate
> to see the (not infrequent) situation of Bugtraq getting a jump on, say,
> CERT, and Debian being bound by rules that don't permit us to release the
> things we have under those circumstnaces.

CERT also has a policy to release after 30 days after they become aware
of an issue (except for unusual situations).

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org            http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: The New Security Build Infrastructure
  - From: "Joel Baker" <lucifer@lightbearer.com>

References:
- Re: The New Security Build Infrastructure
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
- Re: The New Security Build Infrastructure
  - From: Stephen Stafford <stephen@clothcat.demon.co.uk>
- Re: The New Security Build Infrastructure
  - From: Sam Hartman <hartmans@debian.org>
- Re: The New Security Build Infrastructure
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: The New Security Build Infrastructure
  - From: "Joel Baker" <lucifer@lightbearer.com>

Prev by Date: Re: what about Database?
Next by Date: Re: Galeon and Mozilla in woody have security issues
Previous by thread: Re: The New Security Build Infrastructure
Next by thread: Re: The New Security Build Infrastructure
Index(es):
- Date
- Thread