Hey Andrew, The project member were in the loop on the private Hadoop security mailing list. This wasn't a vendor discussion.
We had a discussion about how much to disclose before sending out this notification, and there were differing opinions. Agree that we should disclose more information next time around, I'll push hard for that next time. Thanks, Eli On Fri, Apr 6, 2012 at 12:08 PM, Andrew Purtell <[email protected]> wrote: > Furthermore, I expect vendors were fully in the loop on some private mailing > list. But here users get rather poor disclosure. Need I remind everyone that > in open source, users are your peers? If one of your peers is running a > customized version of your open source product in production, you must admit > there was no actionable information in that disclosure. > > Best regards, > > - Andy > > > On Apr 6, 2012, at 11:43 AM, Andrew Purtell <[email protected]> wrote: > >>> I trust you understand the sensitivity of this issue, and the need to >>> balance a desire to disclose the issue fully to all users with a desire to >>> not publish exploits of the issue. >> >> I can understand that point of view. However, >> >> 1) This is open source, not binary only distribution. The patch for this >> particular issue as I understand it is already in the public change history >> of the project, just not clearly called out. So what are you actually hiding >> here? >> >> 2) The CVE was itself 404 when I sent the earlier email, so the only >> available detail was the announcement to security@, a Cloudera web page not >> referenced, and project change history. I went back 14 days, not far enough, >> but how was I lnow? Therefore in the absence of information the language of >> the disclosure implies that the Hadoop implementation of Kerberos >> authentication is worthless. >> >> Therefore I submit that next time more context is available in the >> disclosure announcement. >> >> Best regards, >> >> - Andy >> >> >> On Apr 6, 2012, at 10:20 AM, "Aaron T. Myers" <[email protected]> wrote: >> >>> I trust you understand the sensitivity of this issue, and the need to >>> balance a desire to disclose the issue fully to all users with a desire to >>> not publish exploits of the issue.
