|
Message-ID: <20170628203736.GA27171@openwall.com> Date: Wed, 28 Jun 2017 22:37:36 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: accepting new members to (linux-)distros lists On Wed, Jun 28, 2017 at 09:22:21PM +0100, Simon McVittie wrote: > On Wed, 28 Jun 2017 at 22:02:40 +0200, Solar Designer wrote: > > Neither you nor others you inform may use the information for anything > > other than getting the issue fixed for your distro's users [etc.] > > To be clear, does this forbid bringing upstream maintainers into the loop > to fix vulnerabilities or review fixes in the code that they maintain? > > (If it does, that seems likely to lead to bugs in the deployed fixes.) It does, but what this really means is that you'll need to ask for the reporter's approval (as provided for in "until the agreed upon public disclosure date/time, the reporter's explicit approval, or substantially complete publication by others"). That's already the current practice. I think/hope we haven't been bringing upstreams into the loop without ensuring such approval by the reporter and lack of objections by other distros. Some upstreams would just commit the fix without coordination, which is both good and bad, but it certainly violates some reporters' reasonable expectations. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.