On Wed, Jul 09, 2008 at 08:17:10PM +0200, Remko Lodder wrote: > Wesley Shields wrote: > > On Wed, Jul 09, 2008 at 01:27:06PM -0400, Josh Mason wrote: > >> On 7/9/08, Remko Lodder <[EMAIL PROTECTED]> wrote: > >>> Remko Lodder wrote: > >>>> Josh Mason wrote: > >>>> > >>>> Thanks, you really showed how you are by sending these replies. I wish > >>>> you > >>> goodluck with your quest, perhaps someday someone can help you. > >>>> Goodbye. > >>>> > >>>> > >>> Hi, > >>> > >>> I am sorry for this reply, it was an expression of my frustation towards > >>> you. The frustation is just easily generated by people demanding support > >>> from volunteers, that are trying to service you and others in their own > >>> spare time. Time that they can also spend on different items, yet we > >>> crazy people decide to work on a Free Operating System, getting nothing > >>> payed for it, only happy users (Where possible) around us. > >>> > >>> I think you can understand my frustration, because I think you would reply > >>> the same if someone demanded even more free time from you. > >>> > >>> I hope you can understand this. > >>> > >>> //Remko > >>> > >> I completely understand and took no offence from your previous email - > >> I know I am being confrontational. I myself have been in that position > >> many a time before and know exactly how it feels. Unfortunately that > >> doesn't negate the responsibility of the security team to produce > >> patches quickly. > >> > >> The initial response of "the sec team is aware of the situation and > >> will investigate" was basically just fluff. If you weren't already > >> aware of it you aren't much of a sec team. What is needed is an > >> expected delivery. I would say considering the nature of the exploit > >> but honestly that shouldn't change anything at all. If the delivery > >> isn't going to be immediate there should always be an ETA provided. If > >> for nothing else other than so your users can plan around it (i.e. > >> "this is too long I need to take action myself" - "or X time or date > >> is sufficient I'll wait for the official release and apply it then"). > >> Without that people are twiddling their thumbs wondering if there is > >> ever going to be one. > > > > You have a good point there. I'm not aware of any page which describes > > the current issues under investigation by the security team. If such a > > thing does not exist I think it would be a good thing to have, > > especially if it details rough timelines for things. By that I mean > > recording historic information and expected information (we received > > notification on this date, we expect to have a final advisory on this > > date). > > > > In the security world there is a balance which must be maintained > > between providing information to consumers so that they may plan > > accordingly, and not providing too much information so that the > > attackers can write exploits; this is the sensitive nature of the > > information which often leads to opaque processes by security teams > > around the world. There is the case where full details are released > > without advance notice to the vendors/projects, in which case the > > balance has been lost from the start. > > > > Remko, do you - or anyone else - on the security team have any thoughts > > on this? I'd be willing to step up and keep a wiki page (or something > > else) up to date with the information. > > > > -- WXS > > There will be no such page with information about pending items. > Sometimes we are bound to non-disclosures etc. We handle this internally > and will continue to do so. If people cannot live with that (like Josh) > then that's their challenge. > > Note I speak largely for myself in this case. I am not going to support > a wiki page or something. I do not know what the other secteam members > think about that, but I expect something like my opinion.
That's certainly a fair statement. I understand the non-disclosure aspect of the situation, but I also feel a more transparent process where ever possible is a good idea. I suspect more thought on the matter is necessary. -- WXS _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
