[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Debian affected by the recent MySQL sql/password.c flow?

On Tue, Jun 12, 2012 at 2:40 AM, Thomas Goirand <zigo@debian.org> wrote:
> On 06/12/2012 02:23 AM, Aron Xu wrote:
>> I'm not saying you are disclosing anything, but you are asking if
>> someone knows it's in what status publicly in a Debian development
>> mailing list. Then this may lead to some disclosing and even mislead
>> some other people. Yes there are many people doing tests just like
>> you, and they are reporting their results in many ways they prefer.
>> But as you are a DD you'd better not ignore our Security Team when
>> starting discussion publicly about a security incident your are not
>> sure whether it's relevant to Debian. People at Security Team are not
>> only responsible for fixing things when it breaks out, but also make
>> sure sensitive information is being disclosed in a correct form at a
>> correct time. In the end, I believe talking with them beforehand is
>> always a right way to do, no matter if Debian is affected by this
>> particular issue.
> The first time I wrote it, it wasn't clear enough. Maybe writing with
> CAPS-ON will help your understanding! :)
> IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!!
> Do you get it now? :)

It's YOU that didn't get my point, :)

> With such security "glitch", how much do you expect from keeping
> such a discussion secret, with the security team? I'm telling you,
> you'd achieve absolutely nothing. Everyone will know so fast that
> it doesn't mater at all. And it's better that everyone in Debian knows
> about what's going on, so we have at least a little be of opportunity
> to fix what can be before disasters.

I'm not expecting to hide anything, but it's harmful to announce the
world by a discussion in debian-devel that we are affected with no
solution provided, at the time related people (means the maintainers
and Security Team, not including the user - like you) haven't said a
word about it.

If you are trying to informing people to act, then debian-devel is not
a good place, because you can't expect all Debian users are following
our mailing lists, it's YOU want to be sure for something, then
confirm with mysql's maintainer and/or Security Team will give you a
certain answer. debian-devel is not a place for collecting random
trying discoveries for security related issues anyway.

Aron Xu

Reply to: