On Thu Oct 02, 2003 at 08:13:29PM +0200, Luca Berra wrote: > >There is more to it than that. Updates is a little... touchy. More > >contributors is not going to help. I can't share the specifics of a number > >of vulnerabilities I work on prior to them going public, so I would still > >have to do the work myself. I can't delegate non-public > >vulns/patches/fixes > well, there are NDAs to cover this kind of stuff > But i still think contribs should be clearly separated by main
Sure, there are NDAs to cover this, but an NDA isn't everything. I use NDAs with secteam... ever wonder why it's a very small group? Because they do get to know about this stuff and although I get plenty of requests, I turn a lot of people down. An NDA is a piece of paper... how can I enforce it? Someone blabs and the damage is done. I can attempt to sue after the fact, but big deal? I'm already kicked out of amazing resources that I need. An NDA is not a solution. And yes, contribs must be clearly separate from main. That's my whole point. -- MandrakeSoft Security; http://www.mandrakesecure.net/ Online Security Resource Book; http://linsec.ca/ "lynx -source http://linsec.ca/vdanen.asc | gpg --import" {FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
pgp00000.pgp
Description: PGP signature
