Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150423011408.GE3854@hunt>
Date: Wed, 22 Apr 2015 18:14:08 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: USBCreator D-Bus service

On Wed, Apr 22, 2015 at 05:50:35PM -0700, Tavis Ormandy wrote:
> > We treat local root escalation vulnerabilities with a high priority[1].
> 
> I wish you had spoken up during the previous discussion. It was my
> impression that embargoes for local privilege escalations were universally
> considered deprecated.

Believe me, I would have spoken up had I noticed any concensus forming
around that idea in the previous discussions; I don't recall seeing it.

Anywhere, here we are, I'm speaking up now. Local root is still important
to us.

> Embargoes tend to make things worse, see your apport patch developed during
> embargo or shellshock for examples. However, if you're sure, I'm willing to
> do so for Ubuntu specific bugs in future.

I still believe reasonable length embargoes help more than they hurt; the
failures are more obvious than the successes.

Thanks

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.