Ciaran McCreesh wrote:
On Mon, 24 Jan 2005 10:37:48 -0500 Keith P Hassen <[EMAIL PROTECTED]>
wrote:
| > You could argue that we shouldn't be involved in anything like this,
| > simply on principle. However, given the choice between giving our
| > users secure systems, or not knowing about security bugs *at all*
| > for anything up to several months after RedHat and Debian do, the
| > decision was made to keep certain bugs locked for a while if this
| > was necessary for us to see the bug information.
| | IMO, you have to decide on what is considered more important for the | users and where gentoo's ideals lie. If engaging with vendorsec is | _worth_ the irritation, then recognize that there is going to be a | backlash from some members of the community. I believe that ideals
| (or approximations thereof) are only attainable if you try to
| implement them.
Those members of the community can go and take it up with VendorSec. Most of our users would prefer to get security fixes immediately, rather than several months in the future, even if it means having to wait a while for the fix information to become public. This is the first time anyone's suggested that we leave people with insecure systems rather than agree to keep bugs restricted for a while in order to get access to vulnerability data sooner.
The problem is that vendorsec is a political entity first and a security entity second. Signing up with vendorsec is a tacit endorsement of their policies; the short-sighted response is that this makes security fixes more timely for your product, but there is a cost to not having an open security-reporting policy. There is definitely a balance to be achieved here, but my point is that if you fundamentally disagree with vendorsec's policy about disclosure, then alternatives should be considered--even if that means a cost to the _short-term_ capacity of Gentoo to provide security updates.
This might seem ridiculous to you, but I think that the spirit of the open-source community is what is at stake in this regard.
Hopefully VendorSec will end up reducing their restriction periods. I'd suggest asking them to try to keep the waiting time down rather than trying to get rid of limited access bugs altogether, it might get you further.
Get me further? It's really Gentoo's decision, not mine; I am just commenting. Linus made relevant remarks on this in another newsgroup:
"And similarly, I think truly open disclosure is another fundamental
-treatment-, in that it doesn't _allow_ the mentality that vendor-sec
tends to instill in people. Well, maybe not 'treatment' per se: it's more like admitting you have a problem. ...It's like alcoholism. Admitting you have a problem is the first step. vendor-sec is the band-aid that allows you to try to ignore the problem ('I can handle it - I could stop any day')."
_k --
- keith.hassen - - software.engineer - - red.iron.technologies -
"All movements go too far."
-- Bertrand Russell-- [email protected] mailing list
