Re: Who should security issues be reported to?

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 01/28/05

• Next message: Fredrik Lundh: "Re: Who should security issues be reported to?"
• Previous message: Craig Ringer: "Re: example needed: sip + Qt"
• In reply to: Fuzzyman: "Re: Who should security issues be reported to?"
• Next in thread: Aahz: "Re: Who should security issues be reported to?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 28 Jan 2005 05:23:56 -0800

"Fuzzyman" <fuzzyman@gmail.com> writes:
> The sourceforge bug tracker *is* the single right place to post such
> issues. The py-dev mailing list would be a second *useful* place to
> post such a comment, although not really the right place. The OP seemed
> to want an individual with whom he could have a private conversation
> about it.

I think he wanted a place to send a bug report that wouldn't be
exposed to public view until the developers had a chance to issue a
patch. With bugzilla, for example, you can check a bug labelled "this
is a security bug, keep it confidential". There's lots of dilemmas
and some controversy about keeping any bug reports confidential in an
open source system. But the general strategy selected by Mozilla
after much debate seems to mostly work ok. It basically says develop
a patch quickly, keep the bug confidential while the patch is being
developed, and once the patch is available, notify distro maintainers
to install it, and then after a short delay (like a couple days),
publish the bug.

Note that anyone with access to the bug (that includes the reporter
and selected developers) can uncheck the box at any time, if they
think the bug no longer needs to be confidential. The bug then
becomes visible to the public.

• Next message: Fredrik Lundh: "Re: Who should security issues be reported to?"
• Previous message: Craig Ringer: "Re: example needed: sip + Qt"
• In reply to: Fuzzyman: "Re: Who should security issues be reported to?"
• Next in thread: Aahz: "Re: Who should security issues be reported to?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Who should security issues be reported to? ... Eliminate the security risk in a maintenance update. ... application developers can immediately start working on ... confidential bug report in the system, the number of exploits in the ... (comp.lang.python) Re: Who should security issues be reported to? ... and whether CPython can really benefit from initial notification ... > of a security flaw going privately to the developers first. ... If it takes 72 hours for the developers to make a patch, ... smaller if the bug and patch are announced simultaneously than if the ... (comp.lang.python) Weekly Python Patch/Bug Summary ... Patch / Bug Summary ... http://python.org/sf/606098 closed by rhettinger ... http://python.org/sf/1088716 closed by loewis ... (comp.lang.python) Re: NetSurf 1.0 released ... Patch being unofficial might mean that the 'problem' is simply ... public forum and to imply in subsequent posts that the developers had ... bad bug' may have been a bit unfair, ... opinion), the curious design of the browser window is unnecessary, does ... (comp.sys.acorn.apps) [Full-Disclosure] RE: [kinda-but-not-really-Full-Disclosure-so-we-feel-warm-and-fuzzy] Re: <to va ... Because it must be realised that as soon as a patch and or advisory is ... there are global teams of people working to discover and exploit said bug. ... quiet and MS just released patches for 'undisclosed' problems... ... > engineer a ms patch to find the changed code and produce a working ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint