[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

Stephen Frost wrote:

> * Scott James Remnant (scott@netsplit.com) wrote:
> > If there's a potential exploit for a server, I want to know about it as
> > soon as the developers do so I can shut down that server until they come
> > up with a fixed version.
> > 
> > Just because there isn't a fixed version yet, does not mean that there
> > isn't a fairly knowledgeable hacker who's managed to exploit it.
> The options go like this:
> a) Get notification early of the problem, get time to fix it and ready a
>    new package.
> b) Don't get notification until it's made public and have to scramble to
>    get a fix in ASAP because the problem is public.
Aye I'm aware of the problem :(  'tis why I just mailed debian-devel my
2p, rather than Cc'ing Florian directly.

> It's pretty simple really.  You're going to find out at the same time
> either way, it's just that in the first case there will be a package
> ready when you find out and in the second case there won't be and you'll
> have to wait for one.
> So, which would you prefer, for there to be a package ready when you
> find out, or for there to not be one?
>From a user point of view, the latter.  I'd rather pull a service down
because of an exploit, and wait for a package than to not know about an
exploit for one of my systems.

>From a debian developer point of view, the former.  I'd rather we knew
about the exploit as early as everyone else so we had the same time to
fix the problem.

So I guess I disagree with their policy, preferring our official one. 
But I agree we probably have to abide by their wish to not officially
disclose the problem in order to correctly serve our users.

Scott James Remnant     Have you ever, ever felt like this?  Had strange
http://netsplit.com/      things happen?  Are you going round the twist?

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: