On Wed, 2004-06-02 at 11:25, Steve Kemp wrote:
> I will add a section, in general I support responsible disclosure,
> and whilst that's the kind of thing that I'd like to see given the
> nature of the Debian project I'm not averse to it when it comes to
> closed source code.
>
> It's a tricky thing to explain succintcly, I shall try my best.
I am interested in what you will write, as this list isn't closed.
Anytime we discuss flaws we find in software, it's almost always going
to be in debian proper (with the non-free exceptions) and an attacker
can always watch this list.
Perhaps we should talk about the ways we talk about things on this list,
along with the way we support talking about things we find that pertain
to this list?
I personally think that responsible disclosure is a good idea. I do
support full disclosure after vendor/programmer/distro contact is made
and patches are available .
-- Jake Appelbaum <jacob_at_appelbaum.net>