On Fri, 2022-01-28 at 20:23 +0000, Zoom Video Communications wrote: > if a critical CVE is discovered at some point after we release, it’s > best not to publish which specific Zoom client version contains the > vulnerability, as that essentially gives a roadmap to exploitation > for hackers. This is misguided at best, hackers are able to compare binaries and find out what changed. Some adversaries have this automated and there is even work on automatically deriving exploits from those diffs. > https://explore.zoom.us/en/opensource/source/ > "We provide our OSS attribution in this manner intentionally, which > is to say, it’s legally permissible (as per OSS licensing > requirements) On Fri, 2022-01-28 at 20:23 +0000, nmschulte@desmas.net wrote: > - Is the stated legal assertion accurate? It completely depends on what components they are using and what licenses they are using those components under. If you suspect a violation of one of those licenses, please verify the details and contact the copyright holder for the components in question. > - Does an open-ended request suffice Given their response, I expect that they will reject such a request. > - Must references be made (more) concretely, and if so ... how? Looking at the referenced web page, I see components licensed under the LGPL, which means that each time Zoom releases software containing those components, they must also release the exact corresponding source for the version used by their software, as well as complying with the relinking and other requirements of the LGPL. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part