[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On 06/19/2002 01:42:27 PM Scott James Remnant wrote:

>> Gergely Nagy wrote:
>> > I'd rather see a fix before the whole wide world notices that my
>> > servers can be compromised. Like if I leave my door wide open, and
>> > notice it at the way toward the office, I'd first phone the
>> > neighbours, and not tell everyone who happens to come by.
>> >
>> Not quite the right metaphor.

How about an automobile metaphor.

>> Public announcement of security problems: Anyone's allowed to tell you
>> your door is open.  It's up to you whether you close it straight away,
>> or wait for someone to tell you how to close it.

An automobile metaphor:  It's publically known that underinflated
"firestone tires" on a "ford exploder" occasionally pop on the highway,
killing the occupants.
Users can apply that knowledge to either check their tire pressures,
replace the firestone tires with equivalent yet safer Michelin tires, buy a
vehicle with better handling, or ignore the admittedly small risk.

Users can apply the knowledge of the risk to avoid dangerous situations, if
the risk is publically announced.

Regarding Debian security announcements I'd be "happy" with a "dual track",
one "secret" detailed assessment of the vulnerability and exactly how to
exploit it, and one public post to debian-devel saying "hey, sendmail has a
new security hole, please either switch to exim temporarily and/or keep
careful watch on your mail server".  That should make "everyone" happy?

>> Announcement to closed lists: The fact your door is open is discussed in
>> private until someone's come up with a way to tell you how to close your
>> door, then they finally tell you your door is open.

An automobile metaphor:  Ever head of the Corvair?  Ralph Nader?  "Unsafe
at any speed"?
Keeping secrets from the users isn't very nice behavior.

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: