On Wed, Jun 09, 2004 at 01:02:40AM -0700, Jake Appelbaum wrote:
> I am interested in what you will write, as this list isn't closed.
> Anytime we discuss flaws we find in software, it's almost always going
> to be in debian proper (with the non-free exceptions) and an attacker
> can always watch this list.
So far I wrote a little piece where I just said "don't name names".
Of the things that have been reported here so far apart from
a couple of public vulns nothing has been reported publically,
I've had a few mails from people privately describing things
and that seems the way to go - either direct to me, or to the
security team.
Of course it could just be because we don't have much traffic
upon this list!
I had envisaged this list being mostly used for people to
post snippets of code so that others could assess problems,
or potential fixes - sometimes fixing bugs can be hard work
if you don't want to change behaviour.
(For example the recent `gatos` advisory contained my fix
of simply removing all the relevent code - rather than trying
to fix it properly).
> Perhaps we should talk about the ways we talk about things on this list,
> along with the way we support talking about things we find that pertain
> to this list?
That's a good idea, and I will try to have an expanded section
shortly.
> I personally think that responsible disclosure is a good idea. I do
> support full disclosure after vendor/programmer/distro contact is made
> and patches are available .
Me too.
Steve
-- # The Debian Security Audit Project. http://www.debian.org/security/auditReceived on Thu Jun 10 2004 - 20:02:55 BST