[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
I'm willing to hold off on releasing our own security alert, and even perhaps waiting until 0 Day to release an updated version of the software. What I'm *not* willing to do, is to stop using our source code repository the way it was intended because some tinfoil-hat thinks that someone's going to monitor it for potential abuses.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
On 05/05/11 12:46, IGnatius T Foobar wrote: I'm willing to hold off on releasing our own security alert, and even perhaps waiting until 0 Day to release an updated version of the software. What I'm *not* willing to do, is to stop using our source code repository the way it was intended because some tinfoil-hat thinks that someone's going to monitor it for potential abuses. I guess he's not going to give you the chance, next time. git is fine with you having private branches that you merge/push later.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
You know what, I am not really interested in working with people who feel the need to tell me exactly what they want me to do, so it's ok. I would much rather accept security alerts from people who do it the normal way.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
oops. gotta fix that. We're going to hold off on any releases for now, though. The guy chose some weird non-standard disclosure method and then got his panties in a bunch when I misunderstood it. Normally a coordinated disclosure means that everyone's got a patched version available for download at the time of disclosure. These morons want to have everyone hold off on any patches (including public source code repos) until the disclosure date. I'll hold off on a release until then but I'm not going to stop using git the way it was intended.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
well, you can commit, you just mustn't push until the disclosure date.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
I think that method is stupid and I'm not going to follow it. In the real world, coordinated public disclosures include an advisory that says upgrade to version x.yy in order to protect your server against this vulnerability.
[Citadel Development] Re: Embargoed: multiple jabber servers vulnerable to denial of service
Thanks for ignoring what it means to do a coordinated release between different products and vendors... I guess that was the first and last advanced notice for citadel, at least from my side. You were expecting something different? 100% of the security advisories to which we have responded in the past have involved coordinated disclosures in which a published security advisory is able to indicate to end users exactly which versions of various applications are invulnerable at the same time as they are advised of the vulnerability in earlier versions. If you were expecting to operate by some other protocol then perhaps you should have outlined that in advance instead of being sarcastic when you are misunderstood. We have the fix in our tree. There has not been a new version of the software published, nor has there been an advisory posted to our user community. What is it specifically that you are expecting us to do at this time? -- A
