My position: I really hate secrecy around security issues. When I'm backporting a patch for a public issue, I often look up the CVE on cve.mitre.org and find that there is still no information there, because it was embargoed previously. If I'm dealing with an embargoed issue, I have to avoid commiting any fixes to a public VCS. And if the date is pushed out for the convenience of one distributor or another, the information is quite likely to leak to the blackhats via one route or another (even if they haven't owned the list server). Not to mention government agencies that play on both sides of the security game.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds