Re: DSA 438 - bad server time, bad kernel version or information delayed?
On Fri, Feb 20, 2004 at 02:34:37PM +0100, Adrian von Bidder wrote:
> I think this is the time where I'd like to see some hard data. Which DSA's
> would possibly have been released differently if such a reorganisation would
> have been in place?
Absolutely none. The proposed "reorganization" was basically to create a
new security team out of thin air, not tell them about anything, and expect
bugfixes sooner. It was nonsense.
> [misinformation about CERT deleted]
> In other cases, that entity will publish a fix with no or incomplete
> information. The SSH case, I guess. The situation would not change again, as
> Debian cannot publish a unknown fix until it is, eh, well, known.
> In other cases, that entity discloses informatin only to a select few parties,
> amongst them the non-CERT Debian security team. This is the one case where
> that scheme does make a difference. Has this ever happened in the past?
CERT rarely has anything to do with coordinating disclosure, and there is no
need to bring them into this discussion at all. The coordination that
happens is between vendors, like Debian, as peers.
Those last two cases are equivalent. Think about it.
The former is "entity publishes information". The latter is "entity
discloses information to a 'select' group of people which then turns around
and publishes it". Why would anyone do that instead of publishing the
information themselves? If they wanted it to be widely known, they would
make it so.