Re: DSA 438 - bad server time, bad kernel version or information delayed?

[Florian Weimer <fw@deneb.enyo.de>]

Jose Alberto Guzman wrote:

>  It may be better to set a deadline for the disclosure, instead of a 
> coordinated disclosure.

A deadline is some form of coordination, although a rather
unidirectional one. 8-)

Often, more flexibility is desirable.

>  OTOH, it may also help to coordinate the actual release, and not just 
> the announcement, so that fixed packages are not available to the public 
> until everyone makes the announcement. This way the time window of fixed 
> package to announcement gets smaller (only when the mirrors are up to 
> date), and a clever hax0r cannot monitor changes in important packages 
> (ssh, kernel, apache), and dig for unannounced fixes.

Usually, announcement and patch release are closely coordinated, and for
free software, there is often not even a separate announcement.

Deliberately silent fixes are rare.  Some netfilter defects were
resolved this way (in early 2003, IIRC), but that's unusal for free
software.