On Fri, 2007-06-08 at 17:39 -0500, Nicolas Williams wrote:
> Rationale for being closed up until _some_ point in the process have
> been given. Anything from having to wait for legal review to wanting to
> wait for an opportune, Marketing-wise, moment -- the former being
> somewhat objective while the latter is entirely subjective.
There's another example where there may be a pragmatic need to keep
certain details confidential prior to a release date: when there are
security vulnerabilities where the release of the information is
formally or informally embargoed to allow developers time to have a
tested fix ready, especially when the same bug appears in multiple
independantly-maintained source bases.
There is a common practice, not always successful, of attempting to
coordinate fixes "in quiet" followed by a synchronized announcement.
There is IMHO no good answer to how to handle vulnerability information;
we will be unable to resolve the question of full-disclosure vs.
coordination-in-secret here so let's not argue about that; IMHO the
question is how do we want to handle cases when someone receives
critical vulnerability information relevant to opensolaris under NDA or
embargo and the fix requires architectural changes that normally get ARC
review?
- Bill
