Bug#339837: Publishing more data could maybe help
On Tue, 25 Apr 2006, Javier Fernández-Sanguino Peña wrote:
> On Mon, Apr 24, 2006 at 09:54:11PM -0700, Don Armstrong wrote:
> > Here we basically have two choices.
>
> Who's *we*? Have you talked to the security team or is this just
> wishful thinking?
We == People contributing to Debian; IE, the project.
> > 1. Certain people sign NDAs/agreements to get the early disclosure
> > information; in return they cannot disclose the information. We
> > lose transparency, but security bugs can be fixed before they're
> > (widly) known in the wild.
>
> The Security Team has not signed any NDA, but a requisite to be on
> vendor-sec [1] is to keep the confidentiality of the list. This has
> been the status quo for years, it makes sense in a world where the
> bad guys do reverse engineering of security patches to develop worms
> and exploits, and it helps the Security Team provide better security
> for our users (remember, SC #4).
Right; I was attempting to indicate that an NDA or an agreement of
some kind was in place for the different lists. [I don't follow this
area very closely, but ISTR there being a list besides vendor-sec
which required an NDA or something similar.] In any case, regardless
of the legal form, the practical outcome is the same.
Don Armstrong
--
Build a fire for a man, an he'll be warm for a day. Set a man on
fire, and he'll be warm for the rest of his life.
-- Jules Bean
http://www.donarmstrong.com http://rzlab.ucr.edu
Reply to: