Re: oCERT

To: debian-security@lists.debian.org
Subject: Re: oCERT
From: Florian Weimer <fw@deneb.enyo.de>
Date: Mon, 14 Apr 2008 10:32:36 +0200
Message-id: <[🔎] 87iqykomzf.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 1207995261.25170.8.camel@hidalgo> (Yves-Alexis Perez's message of "Sat, 12 Apr 2008 12:14:21 +0200")
References: <[🔎] 1207995261.25170.8.camel@hidalgo>

* Yves-Alexis Perez:

> would it make sense for Debian to participate to http://www.ocert.org
> (Opensource Computer Emergency Response Team)?
>
> It could be nice to share advisories and that sort of things.

Debian is already a member of vendor-sec, a well-established group for
handling embargoed issues and background discussions related to free
software.  Personally, I don't see the need for yet another
vulnerability sharing club, especially since Ocert seems to insist on
Ocert <-> vendor communication (or maybe it's even Ocert <-> individual,
hard to tell at this stage), as opposed to vendor <-> vendor
communication under the vendor-sec model.  This means that when, we find
a bug in an upstream patch, Ocert needs to relay that information to all
involved vendors, and forward further questions back to us.  Apart from
the delay, this suffers from the dreaded Chinese Whispers syndrome.

(Speaking only for myself, and not for the security team.)

Reply to:

References:
- oCERT
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: cmake vs DEB_BUILD_HARDENING vs 64-bit
Next by Date: Re: oCERT
Previous by thread: Re: oCERT
Next by thread: Re: [SECURITY] [DSA 1546-1] New gnumeric packages fix arbitrary code execution
Index(es):
- Date
- Thread