From: "Frank Ch. Eigler" <fche@redhat.com>
To: Mark Wielaard <mark@klomp.org>
Cc: elfutils-devel@sourceware.org
Subject: Re: Some ideas for process improvements/changes
Date: Fri, 7 Apr 2023 16:44:17 -0400 [thread overview]
Message-ID: <20230407204417.GC10746@redhat.com> (raw)
In-Reply-To: <20230407202631.GK18331@gnu.wildebeest.org>
Hi -
> Very nice. I would not have been able to describe things so
> nicely. Thanks.
My pleasure!
> > - email to <mark@klomp.org>
> > - email to <fche@elastic.org>
> > - email to <secalert@redhat.com>
>
> I am happy to receive such reports. And I trust the secalert team at
> Red Hat. But I would like to hear from other distro maintainers what
> they think of this policy. I would like to not give one distro or
> corporate entity preferred early notification of suspected security
> issues.
I believe there is an inter-company mailing list for high profile
security issues. We'd eventually hear back from the RH reps on that
list. Heck, our own RH reps could/would forward things there for high
severity things that come initially to you or me.
> Also I think we should explicitly add something like:
>
> We are happy to keep the security implication of a bug, or a proof
> of concept exploit private. But unless the bug is critical we'll
> resolve the underlying issue through the normal project development
> processes, without mentioning the security vulnerability itself.
I can't think of much harm to mentioning security vulnerabilities by
name, should they rise to the levels to justify issuance of them at
all. That is, we need not hide genuine security issues that happen to
be low severity. We just wouldn't treat them with embargo or
emergency haste, but that's okay.
> To make clear we aren't going to play security embargo theater.
Not sure that's fair -- in my experience, security embargos serve a
useful purpose: in coordinating the release of a fix among distros.
That minimizes the window of vulnerability of the entire user base
between the problem becoming public and distributing its fix. They
are thankfully rare.
- FChE
next prev parent reply other threads:[~2023-04-07 20:44 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-06 16:30 Mark Wielaard
2023-04-06 17:34 ` Frank Ch. Eigler
2023-04-06 21:57 ` Mark Wielaard
2023-04-07 0:56 ` Frank Ch. Eigler
2023-04-07 20:26 ` Mark Wielaard
2023-04-07 20:44 ` Frank Ch. Eigler [this message]
2023-10-19 16:13 ` Mark Wielaard
2023-10-25 13:10 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230407204417.GC10746@redhat.com \
--to=fche@redhat.com \
--cc=elfutils-devel@sourceware.org \
--cc=mark@klomp.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).