[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#339837: Publishing more data could maybe help



On Tue, 25 Apr 2006, Javier Fernández-Sanguino Peña wrote:
> On Mon, Apr 24, 2006 at 09:54:11PM -0700, Don Armstrong wrote:
> > Here we basically have two choices.
> 
> Who's *we*? Have you talked to the security team or is this just
> wishful thinking?

We == People contributing to Debian; IE, the project.
 
> > 1. Certain people sign NDAs/agreements to get the early disclosure
> > information; in return they cannot disclose the information. We
> > lose transparency, but security bugs can be fixed before they're
> > (widly) known in the wild.
> 
> The Security Team has not signed any NDA, but a requisite to be on
> vendor-sec [1] is to keep the confidentiality of the list. This has
> been the status quo for years, it makes sense in a world where the
> bad guys do reverse engineering of security patches to develop worms
> and exploits, and it helps the Security Team provide better security
> for our users (remember, SC #4).

Right; I was attempting to indicate that an NDA or an agreement of
some kind was in place for the different lists. [I don't follow this
area very closely, but ISTR there being a list besides vendor-sec
which required an NDA or something similar.] In any case, regardless
of the legal form, the practical outcome is the same.


Don Armstrong

-- 
Build a fire for a man, an he'll be warm for a day.  Set a man on   
fire, and he'll be warm for the rest of his life.
 -- Jules Bean

http://www.donarmstrong.com              http://rzlab.ucr.edu



Reply to: