[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GR Proposal: Declassification of -private

On Tue, Nov 15, 2005 at 07:53:28PM +0100, Bernhard R. Link wrote:
> * Anthony Towns <aj@azure.humbug.org.au> [051115 03:12]:
> > In accordance with principles of openness and transparency, Debian will
> > seek to declassify and publish posts of historical or ongoing significance
> > made to the Debian Private Mailing List.
> > [...]
> >   * The team will automatically declassify and publish posts made to
> >     that list after three years, with the following exceptions:
>                       =====
> >[...]
> >     - publication of posts that would reveal otherwise unpublished
> >       security vulnerabilities in currently supported releases of a
> >       Debian distribution will be deferred;
> Are you serious?


> If some such mail found its way to debian-private, it should be
> considered published to all blackhat by that action already. (As it
> will be sent unencrypted in several hundred copies over the internet,
> lying around unencrypted in several hundred mailboxes, ...)

And if it's been sent to -private three years ago, it should be fixed by
now -- even if there wasn't an security update or a point release for it;
there's been a major release since then.

In the fairly unlikely event that the concept hasn't been published
elsewhere in the meantime, hasn't been fixed (and thus published in the
archive), and the author doesn't specifically say "publish", however, it
seems pretty reasonable not to pass it on to any other blackhats who
might not've already seen it.

(Also, you missed the fact that master, which has unencrypted archives of
-private, has been compromised in the past three years)

> Such a point is such a list is a very bad joke, as it could be read
> that:
>  - such a mail should not be published
>  - there are such mails
> or even
>  - there are such mails still descriping something open 3 years later.

Personally, I'd rather people spread FUD about Debian than have Debian
not act with utmost care about publishing private notifications of
security information.

If you think "utmost care" is fixing them, and informing people about
them "ASAP" is the way to do that (and -private isn't vendor-sec, after
all), then that probably warrants some sort of separate handling than
what I've written. Basically, if publishing is a good thing to handle
security updates better, doing so only after three years is going to water
that down into pointlessness. I don't see any major problem with adding
something on, but I don't know what'd suffice.  Suggestions appreciated...


Attachment: signature.asc
Description: Digital signature

Reply to: