> Some of how we do this coordination will IMO need > input from the > OpenSolaris OGB because we don't want to push the > info out to everyone > via the security community when responsible/managed > disclosure for > vulnerabilities in in play. We need to have good > control and trust in > these cases of who gets information. How does a > distro do this, when is > a distro sufficiently established that it can > participate (consider that > in theory one could setup a distro purely to get > early notification if > this isn't managed well).
Seems to me that distros will mostly be conglomerations of existing OpenSolaris (and other) object files (and resulting binaries and libraries); and that the minimum information they need is the severity, very general nature of the problem, and what source needs to be updated and rebuilt. Of course, with the source open, that's enough that someone could sometimes reconstruct the exploit (esp. if they have source history and can diff to spot the change), but it's well short of a detailed description of the exploit. By contrast, whoever actually maintains the source in question will probably need full info regarding that which they maintain; or alternatively, a proposed patch (without detailed exploit info). And end users only need to know what to update; although those who are building anything from source _are_ in a sense maintainers of their own private distros, so they might also need to know not only to fetch an updated binary package or patch, but also what source files were involved. Since validation of all who might build from source could get insane, perhaps only publicized and redistributed distros should be treated as such, and identification of source files involved for inividuals building from source would have to be subject to an additional delay and minimal detail. So it boils down to having certain categories (internal security gurus, responsible developer, distro maintainer, end user, ...), with rules for how (or if) to validate membership in that category, and what information that (perhaps validated) membership in that category allows access to. Also, rules for proper protection of sensitive information (and for downgrading the sensitivity when all relevant distros had a patch out for X amount of time) would be needed. And finally, for how to deal with leaks. I suppose one would want to examine existing practices for handling vulnerability info in open source projects via "responsible" disclosure. And one might well need to run all that past the darn lawyers, both in terms of liability and of not running afoul of such monstrosities as the DMCA. This message posted from opensolaris.org
