Maxim Kammerer: > On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum <[email protected]>wrote: > >> Please feel free to answer the question, we're happy to learn from an >> example. Are either of you involved in such an example? Might we learn >> from your example? If so, where might we see it? >> > > Tails references upstream advisories, or at least did so in the past. > https://tails.boum.org/security/Numerous_security_holes_in_0.18/ >
I agree - Tails does a pretty good job of referencing upstream but they don't email out an advisory for each issue in each upstream project. Nor do they do a specific analysis of each bug spending many days of people time per bug. Somewhere there is a line and clearly, we failed to meet the high standards of a few folks on this list. I'm mostly curious if that high standard will be expressed in a cohesive manner where we might learn from it. > I actually think they are going overboard with those, but it's an example. > Where do you draw the line? I guess with release notes that bump versions, mention that users should upgrade and so on? I tend to like the Tails way of doing things - I have advocated for a little more linkage to security advisories. Still, I think it is not as critical as a secure updater or packaging TBB for various packaging systems. We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Also, I'll note even Tails doesn't reference sub-modules of the specific projects - they are just linking to DSA and related pages. > The whole situation is pretty funny, by the way, since Mike Perry (TBB dev) > was accused of maintaining Freedom Hosting by those OpDarknet clowns two > years ago: > http://pastebin.com/qWHDWCre It is awful for Mike and I can't even begin to find it funny in the least. Though I'll take your point that it is rich with awful irony. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
