Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110405133129.GB17570@openwall.com>
Date: Tue, 5 Apr 2011 17:31:29 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Closed list

On Tue, Apr 05, 2011 at 09:52:10AM +0100, Benji wrote:
> Fixing issues secretly is definitely a no-go in my book.

I think you're mixing up distinct things:

1. Fixing security bugs secretly, then releasing the fixed software
without notifying others of the fixes.

2. Fixing security bugs secretly, then releasing the fixed software
along with information on the fixes on the coordinated release date.

I think #1 has worse drawbacks than #2.  I think that with the current
state of the community/industry/technology, we should avoid #1, but we
can do #2.

Is your opinion on #2 different, and why?

> It will and clearly
> has, created hostility between different developer groups and those that are
> allowed in and those that aren't.

Unfortunately, yes, both #1 and #2 may create hostility.

> >>However, my proposal, which I am going to try to enforce, is to only
> >>discuss medium-severity issues on this new list.  I think that an
> >>embargo period of 1-2 days does not make sense for those; if that's all
> >>we can afford, we can as well make them public right away.
> 
> So.... if this list isnt for high-severity issues what is the point of it?
> Why not use OSS-Sec.

For low-severity issues, I propose that we use oss-security right away.

I propose that we use the new closed list(s) for medium-severity issues,
where immediate disclosure on oss-security could do some harm.

In this context, I propose to use overall severity defined as the
product of risk probability and risk impact.  Of course, we'll use
guesstimates.

> I thought the only way this el8 mailing list was even
> justified was the fact that the vulnerabilities were mission-critical and
> the POCs for these vulnerabilities would potentially lead to throwing us
> back into the ice-ages.

That's not my justification.  In those special cases, I'd try to see who
is affected before sending out the detail.  However, the list may in
fact be useful to probe for affected vendors/distros - post a heads
up, with no detail on the issue, and ask to contact the reporter for
detail.  Also, propose a much shorter embargo period (than is usual for
the list).  vendor-sec was used like that on some occasions, and I think
it was an improvement over mailing the same heads up to an arbitrary
subset of distros, which happens in the absence of such a list.

> >>That said, I agree that a closed list should be a last resort, to be
> >>used whenever other options are determined to be less appropriate for a
> >>particular security issue.  Unfortunately, this determination is usually
> >>made by just one person (whoever brings the issue to the list), so it is
> >>likely to sometimes be "wrong".
> 
> So why are you using a last resort for 'medium-severity issues'?

The key words above were: "whenever other options are determined to be
less appropriate".  "Less appropriate" does not mean that it would be
the end of the world if the issue were disclosed publicly right away.
Things would just be worse, in the reporter's opinion.  So we provide a
convenient way for one distro to share info (or just a heads up) with
other likely-affected distros.  In the absence of such a list, the
reporter would likely end up notifying an arbitrary subset of the distros.

> Currently, from what you've said, it seems like you're trying to, as some
> people apparently correctly feared, an elite mailing list where you can all
> boost your egos and, excuse the term for lack of a better one, 'circlejerk'.

I fail to see what in this discussion thread makes you arrive at that
conclusion, other than presumably you readily having this opinion of any
closed discussion groups.  If that's not the case, then can you name a
closed discussion group that you would not categorize that way, and
explain why not?  This might help me and others understand you better.

> Question; now that vendor-sec has been compromised, I suppose we can expect
> a full public archive of all the emails?

Maybe, or maybe not.  This may happen if someone just goes ahead and
posts it publicly.  Other than that, making it public in an ethical
fashion feels unrealistic (we'd need to ask everyone who has ever posted
to the list).

I get your point, though: if we're not treating e-mail addresses as
private, then why are we treating the vendor-sec archive as such?
My answers to this:

We're not actually posting the vendor-sec members list; everyone who
wanted to join the new list posted to this thread on their own.

On the other hand, I would not be surprised if a decision is made to
post the vendor-sec members list.  It is in fact not as private as the
messages themselves.

(I don't know if there's even a complete archive of vendor-sec anywhere.)

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.