Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <aa6TE4xteynh2_Ca6HNTpGBRXN0UKjaeO1QKfmh9JLPDcl0GZvbZgnMqCqUIjY7tqZ7EfR1cxFot8QGtkhtBlQrlcpMdnmnCH6qxIcETRas=@protonmail.ch>
Date: Thu, 25 Jul 2019 21:35:45 +0000
From: Stiepan <stie@...tonmail.ch>
To: oss-security@...ts.openwall.com
Subject: Re: Security release pre-announcement messages

I would like to congratulate the teams that do that. If public disclosure is deemed too dangerous before a patch is available, this looks like The reasonable tradeoff. Wish it was the same with Linux...

Rationale: people could switch meanwhile to a known safe kernel. That would provide peace of mind to the "rest of us" who don't have the keys to the linux-distros kingdom of the elected few, yet wish to have secure OSes, without a window of vulnerability open to whoever hacked into the elected few's machines (or are entitled another way to this secret information).
It would also make Linux governance way more democratic, which seems to be a must for such a "too big to fail" core open-source software.

Cheers,
Stiepan

Envoyé depuis ProtonMail mobile

-------- Message d'origine --------
On 23 juil. 2019 à 23:55, Douglas Bagnall a écrit :

> On 22/07/19 11:50 PM, Solar Designer wrote:
>> Exactly. It's just an unusual disclosure process that involves giving
>> the users a heads-up a few days before public disclosure of the actual
>> vulnerabilities and fixes. So far, this process is practiced by OpenSSL
>> and Exim (any others?)
>>
>
> On the Samba team we use wording like this:
>
> https://lists.samba.org/archive/samba/2019-June/223621.html
>
> ----------------------------
> Subject: Heads-up: Security Releases ahead!
>
> Hi,
>
> This is a heads-up that there will be Samba security updates on
> Wednesday, June 19 2019. Please make sure that your Samba
> servers will be updated soon after the release!
>
> Impacted components:
> - AD DC (CVSS 6.5, Medium)
> -----------------------------
>
> We now do this systematically, after a haphazard start.
>
> To help ourselves stay on track, we are trying to formalise our
> process into something approaching a checklist:
>
> https://wiki.samba.org/index.php/Samba_Security_Process
>
> and we are happy to hear suggestions for improvement.
>
> cheers,
> Douglas
Content of type "text/html" skipped

Download attachment "publickey - stie@...tonmail.ch - 0xADF18750.asc" of type "application/pgp-keys" (1761 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.