Embargoes
Embargoes
Posted Jun 29, 2025 13:38 UTC (Sun) by anton (subscriber, #25547)In reply to: Embargoes by rwmj
Parent article: Libxml2's "no security embargoes" policy
So the embargo was there to allow the distribution people have an easier time at the cost of exposing the users of the faster distributions to the backdoor for longer?
Concerning "reasonable position", in what way do you consider it unreasonable?
"[...] !11!!"Not sure where that is coming from. Broken browser?
Posted Jul 1, 2025 14:45 UTC (Tue)
by wtarreau (subscriber, #51152)
[Link] (3 responses)
Sadly, this has always been how embargoes work. If you want "reasonable" ones, the best way to act is to agree on the shortest that is accepted by at least one distro and let the other ones figure how to bypass the heavy internal paperwork that slows them down to finally get their packages in place in time. Hint: curiously it always works, because everyone can deal with emergencies. Nowadays critical issues seem to be handled as "business as usual" and I remember seeing cases where distros were asking for 14 days for an RCE because you know, the process chain is long before packages arrive... But when you remove 2 managers and 4 weekly meetings from the process, it suddenly becomes possible to build, run the packages through the CI and have them ready for download in a few hours to days. So yes, it's important to pressure downstream to be reasonable by aligning on fast acting ones.
Posted Jul 4, 2025 17:36 UTC (Fri)
by anton (subscriber, #25547)
[Link] (2 responses)
The situation is different for a back door: the black hats already know about it. So the embargo only means that some (or maybe all) affected users are exposed to the back door for longer.
Posted Jul 4, 2025 17:52 UTC (Fri)
by mb (subscriber, #50428)
[Link] (1 responses)
Posted Jul 5, 2025 16:10 UTC (Sat)
by anton (subscriber, #25547)
[Link]
So no, even with information about the back door being public knowledge, only the back door installers can exploit it. Case in point: From what I have read, no security researcher has managed to enter through the xz backdoor yet.
Posted Jul 2, 2025 5:43 UTC (Wed)
by donald.buczek (subscriber, #112892)
[Link] (1 responses)
Posted Jul 4, 2025 17:12 UTC (Fri)
by cbushey (guest, #142134)
[Link]
Embargoes
Embargoes
Sadly, this has always been how embargoes work.
For a vulnerability (i.e., not a backdoor), the idea is that the black hats do not know the vulnerability yet, and they will learn about it when somebody publishes a bugfix; so the embargo synchronizes the publication of the bugfix, and hopefully most users have upgraded before the black hats can exploit it.
Embargoes
If detailed information about a back door is published without a fix, then *everybody* can start to exploit it.
No. Installing a backdoor requires a lot of effort, and the ones installing the backdoor have many incentives to secure the access to the backdoor: In particular, they don't want random attackers to use the backdoor for their purposes which may draw attention to the back door or may prevent access directly (e.g., if the random attackers encrypt the target system).
Embargoes
Embargoes
Nice link