[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Tue, Jun 11, 2002 at 12:31:09AM +0200, Wichert Akkerman wrote:
> Previously Joel Baker wrote:
> > One thing I'm not entirely clear on: if the exploit is pre-announced to
> > our security team, with a public release date of X, but exploits and/or
> > announcements then show up "in public" (think: Bugtraq), on X-3, is Debian
> > still bound to not release patches/announcements/etc until X, or are we
> > generally permitted to do so under a typical NDA clause stating that if
> > the information becomes public in some other fashion, we can make full use
> > of it publically?
> If someone goes public everyone is free to release the information.

Well, then, it's pretty much a non-issue as far as I can see. We're not
prevented from serving the best interests of our users, even if those
interests suddenly change mid-leap, as long as that's true (where one views
'the ability to release fixed packages as early as possible over a long
term view' as the being the best interest of our users).

Glad to have it clarified, though; thank you very much.

> > This may, of course, vary depending on who's announcing it, but I'd hate
> > to see the (not infrequent) situation of Bugtraq getting a jump on, say,
> > CERT, and Debian being bound by rules that don't permit us to release the
> > things we have under those circumstnaces.
> CERT also has a policy to release after 30 days after they become aware
> of an issue (except for unusual situations).

Indeed. I didn't know if Debian had agreements with folks other than CERT
which might or might not have had such clauses; sorry if I wasn't clear
enough on that.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: