Re: [Zope-dev] RE: Resolved security-related collector issues forthepublic?
Paul Winkler wrote: On Fri, Jan 23, 2004 at 09:45:43AM +1300, Richard Waid wrote: How about something along the lines of: - Development team only disclosure for the first x days (2 to 7 days is the maximum here I would think), in order to develop a workaround/patch. - Full disclosure after that, along with a published patch, hotfix or workaround. OK, but what if there is no patch, hotfix, or workaround ready after 2-7 days? Some of these bugs have taken much longer. I think we need to be looking at _why_ the bugs have taken much longer. Is it strictly lack of resources? Security fixes, generally, shouldn't come in batches of 10 (or whatever) because, even if they're related, it makes testing the critical-security-patch-that-needs-to-be-applied-right-now extremely difficult for almost everyone. --Richard ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RE: Resolved security-related collector issues forthepublic?
On Fri, Jan 23, 2004 at 09:45:43AM +1300, Richard Waid wrote: > Brian Lloyd wrote: > >...or will decide that doing so is unreasonable and use something > >else instead :( Note that I'm not necessarily criticizing that > >particular policy, just pointing out that _any_ policy will have > >some upside and some downside. The challenge will be coming to > >agreement on a policy with the right balance that everyone can > >live with. > > How about something along the lines of: > > - Development team only disclosure for the first x days (2 to 7 days is > the maximum here I would think), in order to develop a workaround/patch. > > - Full disclosure after that, along with a published patch, hotfix or > workaround. OK, but what if there is no patch, hotfix, or workaround ready after 2-7 days? Some of these bugs have taken much longer. -- Paul Winkler http://www.slinkp.com Look! Up in the sky! It's PSUEDO LIGHTNING FRED! (random hero from isometric.spaceninja.com) ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] RE: Resolved security-related collector issues forthepublic?
Brian Lloyd wrote: ...or will decide that doing so is unreasonable and use something else instead :( Note that I'm not necessarily criticizing that particular policy, just pointing out that _any_ policy will have some upside and some downside. The challenge will be coming to agreement on a policy with the right balance that everyone can live with. How about something along the lines of: - Development team only disclosure for the first x days (2 to 7 days is the maximum here I would think), in order to develop a workaround/patch. - Full disclosure after that, along with a published patch, hotfix or workaround. Other recommendations: - Increase the number of people who have access to the security section of the collector, to increase the chance that it will be discussed. - Form a closed security list for discussing such things amongst selected developers, away from the general public gaze (does such a thing already exist?) At some stage the sysadmin has to take responsibility for the packages they are using. I tend to believe, as almost certainly most of the security community does, that not all crackers are just script-kiddies waiting for an exploit. Lets face facts -- if someone is reporting an exploitable hole, anyone else (white/black/grey hat) could have also found it. I for one would love to know things like: Jamie Heilman wrote: >Clemens Robbenhaar wrote: >> malicious Python Scripts on my site (I guess , and I do not use >> DTML >> or some Tree-stuff -- thus I did not upgrade yet, and You may feel >> free >Actually... unless you've altered the ZMI and HelpSys, you do use >dtml-tree ...and HelpSys is publically traversable by default. Anyone else spot the irony in the situation that _all_ the available security holes are available to a user who cracks the Zope collector site? --Richard ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
RE: [Zope-dev] RE: Resolved security-related collector issues forthepublic?
> Brian Lloyd wrote: > > As the person who unfailingly gets flamed no matter which way the > > decisions leans :), I think we are probably at a point where we > > should have an official, documented and community-agreed-to policy > > on how these kinds of things will be handled. > > My intent was not flaming anyone... Sorry for that. I just tried > to take the > voice of the "average" Zope-Admin (installs Zope from a recent stable > release, waits for the security-maintainers of distros to get security > patches etc.). Sorry, I should have been more clear. I didn't mean to imply that your or Jamie's notes were flames (they're definitely not), just that I'd been singed in the past ;) > > At a minimum, having a clear and documented policy would provide > > the benefit of 'no surprises' - if you disagree with the policy, > > or some aspect of it, you would at least be able to plan around it. > > Very good idea...:) If all Zope-Admins can read before an installation: > "Security exploits will be exposed to the public as soon as they're > resolved in the CVS" everyone will & should run Zope out of CVS. ...or will decide that doing so is unreasonable and use something else instead :( Note that I'm not necessarily criticizing that particular policy, just pointing out that _any_ policy will have some upside and some downside. The challenge will be coming to agreement on a policy with the right balance that everyone can live with. Brian Lloyd[EMAIL PROTECTED] V.P. Engineering 540.361.1716 Zope Corporation http://www.zope.com ___ Zope-Dev maillist - [EMAIL PROTECTED] http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
