[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Debian affected by the recent MySQL sql/password.c flow?

On mar., 2012-06-12 at 02:23 +0800, Aron Xu wrote:
> On Tue, Jun 12, 2012 at 2:11 AM, Thomas Goirand <zigo@debian.org> wrote:
> > On 06/12/2012 01:52 AM, Aron Xu wrote:
> >> IMHO I suggest to talk with Security Team before disclosing
> >> information that might be sensitive in the mean time on a Debian
> >> development mailing list.
> >>
> > Could you explain to me what exactly I'm disclosing?
> > The news is already on slashdot and so on, and I think
> > it'd be better to know, as hackers will.
> >
> I'm not saying you are disclosing anything, but you are asking if
> someone knows it's in what status publicly in a Debian development
> mailing list. Then this may lead to some disclosing and even mislead
> some other people. Yes there are many people doing tests just like
> you, and they are reporting their results in many ways they prefer.
> But as you are a DD you'd better not ignore our Security Team when
> starting discussion publicly about a security incident your are not
> sure whether it's relevant to Debian. People at Security Team are not
> only responsible for fixing things when it breaks out, but also make
> sure sensitive information is being disclosed in a correct form at a
> correct time. In the end, I believe talking with them beforehand is
> always a right way to do, no matter if Debian is affected by this
> particular issue.
To be honest, I think -devel is a bad place for this just because it's
more or less full of useless, hundred mails long threads, so for example
I barely can follow it (and consider removing my subscription). So it'd
be better on some less noisy, security related, debian list like


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: