Furthermore, I expect vendors were fully in the loop on some private mailing
list. But here users get rather poor disclosure. Need I remind everyone that in
open source, users are your peers? If one of your peers is running a customized
version of your open source product in production, you must admit there was no
actionable information in that disclosure.
Best regards,
- Andy
On Apr 6, 2012, at 11:43 AM, Andrew Purtell <[email protected]> wrote:
>> I trust you understand the sensitivity of this issue, and the need to
>> balance a desire to disclose the issue fully to all users with a desire to
>> not publish exploits of the issue.
>
> I can understand that point of view. However,
>
> 1) This is open source, not binary only distribution. The patch for this
> particular issue as I understand it is already in the public change history
> of the project, just not clearly called out. So what are you actually hiding
> here?
>
> 2) The CVE was itself 404 when I sent the earlier email, so the only
> available detail was the announcement to security@, a Cloudera web page not
> referenced, and project change history. I went back 14 days, not far enough,
> but how was I lnow? Therefore in the absence of information the language of
> the disclosure implies that the Hadoop implementation of Kerberos
> authentication is worthless.
>
> Therefore I submit that next time more context is available in the disclosure
> announcement.
>
> Best regards,
>
> - Andy
>
>
> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <[email protected]> wrote:
>
>> I trust you understand the sensitivity of this issue, and the need to
>> balance a desire to disclose the issue fully to all users with a desire to
>> not publish exploits of the issue.
