Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security

To: debian-security@lists.debian.org
Subject: Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
From: Geert Stappers <stappers@stappers.nl>
Date: Sat, 29 Jan 2022 08:31:08 +0100
Message-id: <[🔎] 20220129073108.jrzk3imwocz6i7vv@gpm.stappers.nl>
In-reply-to: <[🔎] ccaf05924d2ed64dfc0403b5b921334013aad4ee.camel@debian.org>
References: <[🔎] CIHyIbI4lfMWOs6BnxLz9rhUFoLwkY4Afd1MRjEFxctX_qUOk27MiZfzMEspFR9zYfzv9ILrNIIfRR-cBcOBPWy9mQQU_zt2puLORl2YePk=@desmas.net> <[🔎] ccaf05924d2ed64dfc0403b5b921334013aad4ee.camel@debian.org>

On Sat, Jan 29, 2022 at 08:30:39AM +0800, Paul Wise wrote:
> On Fri, 2022-01-28 at 20:23 +0000, Zoom Video Communications wrote:
> 
> > if a critical CVE is discovered at some point after we release, it’s
> > best not to publish which specific Zoom client version contains the
> > vulnerability, as that essentially gives a roadmap to exploitation
> > for hackers.
> 
> This is misguided at best, hackers are able to compare binaries and
> find out what changed. Some adversaries have this automated and there
> is even work on automatically deriving exploits from those diffs.

And they, Zoom Video Communications, completely mis the point
to provide their customers with information
on wether or not to upgrade their Zoom client.

 
> > https://explore.zoom.us/en/opensource/source/
> > "We provide our OSS attribution in this manner intentionally, which
> > is to say, it’s legally permissible (as per OSS licensing
> > requirements)
> 
> On Fri, 2022-01-28 at 20:23 +0000, nmschulte@desmas.net wrote:
> 
> > - Is the stated legal assertion accurate?
> 
> It completely depends on what components they are using and what
> licenses they are using those components under. If you suspect a
> violation of one of those licenses, please verify the details and
> contact the copyright holder for the components in question.
> 
> > - Does an open-ended request suffice
> 
> Given their response, I expect that they will reject such a request.

FWIW  Feel lucky upon recieving a reject from them.
Because it implies they, Zoom, made some effort to inform you.
 

> > - Must references be made (more) concretely, and if so ... how?
> 
> Looking at the referenced web page, I see components licensed under the
> LGPL, which means that each time Zoom releases software containing
> those components, they must also release the exact corresponding source
> for the version used by their software, as well as complying with the
> relinking and other requirements of the LGPL.
> 
> -- 
> bye,
> pabs
> 
> https://wiki.debian.org/PaulWise


Regards
Geert Stappers
How thinks that customers and software vendors who are talking with each other,
is the best security measure there is.
-- 
Silence is hard to parse

Reply to:

References:
- A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
  - From: nmschulte@desmas.net
- Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
Previous by thread: Re: A message from Zoom Video Communications, Inc. -- re: free / open source software licensing, security
Index(es):
- Date
- Thread