Re: Is Debian affected by the recent MySQL sql/password.c flow?

To: Thomas Goirand <zigo@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Is Debian affected by the recent MySQL sql/password.c flow?
From: Aron Xu <happyaron.xu@gmail.com>
Date: Tue, 12 Jun 2012 10:25:37 +0800
Message-id: <[🔎] CAMr=8w7wdcxSiNaRAKgYJMCunbsdaCHULtnYROj4_0B1k4ZnWg@mail.gmail.com>
In-reply-to: <[🔎] 4FD63B81.2080800@debian.org>
References: <[🔎] 4FD62E80.20308@goirand.fr> <[🔎] CAMr=8w4Mob-sWJzYGcWbw-QLBhhJf+uMOs+38uQ839BMRA2UEg@mail.gmail.com> <[🔎] 4FD634D8.7050401@debian.org> <[🔎] CAMr=8w6SMB3shwjwMEo_-vURUVzrViigOnbSxf3pGNXPkOQcHA@mail.gmail.com> <[🔎] 4FD63B81.2080800@debian.org>

On Tue, Jun 12, 2012 at 2:40 AM, Thomas Goirand <zigo@debian.org> wrote:
> On 06/12/2012 02:23 AM, Aron Xu wrote:
>> I'm not saying you are disclosing anything, but you are asking if
>> someone knows it's in what status publicly in a Debian development
>> mailing list. Then this may lead to some disclosing and even mislead
>> some other people. Yes there are many people doing tests just like
>> you, and they are reporting their results in many ways they prefer.
>> But as you are a DD you'd better not ignore our Security Team when
>> starting discussion publicly about a security incident your are not
>> sure whether it's relevant to Debian. People at Security Team are not
>> only responsible for fixing things when it breaks out, but also make
>> sure sensitive information is being disclosed in a correct form at a
>> correct time. In the end, I believe talking with them beforehand is
>> always a right way to do, no matter if Debian is affected by this
>> particular issue.
>>
>
> The first time I wrote it, it wasn't clear enough. Maybe writing with
> CAPS-ON will help your understanding! :)
>
> IT HAS ALREADY BEEN MADE PUBLIC (for example: on slashdot) !!!
>
> Do you get it now? :)
>

It's YOU that didn't get my point, :)

> With such security "glitch", how much do you expect from keeping
> such a discussion secret, with the security team? I'm telling you,
> you'd achieve absolutely nothing. Everyone will know so fast that
> it doesn't mater at all. And it's better that everyone in Debian knows
> about what's going on, so we have at least a little be of opportunity
> to fix what can be before disasters.
>

I'm not expecting to hide anything, but it's harmful to announce the
world by a discussion in debian-devel that we are affected with no
solution provided, at the time related people (means the maintainers
and Security Team, not including the user - like you) haven't said a
word about it.

If you are trying to informing people to act, then debian-devel is not
a good place, because you can't expect all Debian users are following
our mailing lists, it's YOU want to be sure for something, then
confirm with mysql's maintainer and/or Security Team will give you a
certain answer. debian-devel is not a place for collecting random
trying discoveries for security related issues anyway.



-- 
Regards,
Aron Xu

Reply to:

Follow-Ups:
- Re: Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Thomas Goirand <zigo@debian.org>

References:
- Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Thomas Goirand <thomas@goirand.fr>
- Re: Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Aron Xu <happyaron.xu@gmail.com>
- Re: Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Thomas Goirand <zigo@debian.org>
- Re: Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Aron Xu <happyaron.xu@gmail.com>
- Re: Is Debian affected by the recent MySQL sql/password.c flow?
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: wwwoffle
Next by Date: Re: Is Debian affected by the recent MySQL sql/password.c flow?
Previous by thread: Re: Is Debian affected by the recent MySQL sql/password.c flow?
Next by thread: Re: Is Debian affected by the recent MySQL sql/password.c flow?
Index(es):
- Date
- Thread