User: Password:
Subscribe / Log in / New account

How long should security embargoes be?

How long should security embargoes be?

Posted Feb 9, 2012 4:17 UTC (Thu) by arjan (subscriber, #36785)
Parent article: How long should security embargoes be?

I've been around distros small and big for a long time now, and personally I've come to the conclusion that I will not do embargoes for things I have any say or choice in, and I will not join lists that enforce embargoes on my behalf. [I've had people try the "but we put you on the CC with such a list on the CC as well so you're also under the embargo", but I just laughed at the guy... that was just so sad it was funny]

The tradeoff of leaving a wide range of users vulnerable during the embargo does not, in my mind, extend to 2 weeks... If you as a distro can't get a mitigation out in 24 hours, with maybe a more complete fix in 72 hours, then frankly, fix your internal processes. That's not a reason to keep people vulnerable for a very long time.

(Log in to post comments)

How long should security embargoes be?

Posted Feb 9, 2012 10:26 UTC (Thu) by Klavs (guest, #10563) [Link]

Not embargoing - might also help people ensure they have defence in depth - so one "currently released and unsolved" vulnerability doesn't hit them so hard.

How long should security embargoes be?

Posted Feb 10, 2012 23:39 UTC (Fri) by PaXTeam (guest, #24616) [Link]

users aren't vulnerable during the embargo only, they're vulnerable as long as they use the buggy code. the latter is usually much much longer than the former so a few days more or less for an embargo doesn't really change anything. actually i'm surprised you'd go public with such a statement considering your participation in one of the worst handled linux security bugs of all times. to refresh your memories, this is what was posted to vendor-sec on 2003.09.25:

<arjan> there's a security hole found by akpm
<arjan> that also hits your kernels
<arjan> Subject: [PATCH] do_brk() bounds checking
<arjan> that patch you want
<arjan> agreement is to put it in silently (eg no changelog)
<davej> ok
<arjan> it's not exactly public stuff either
<arjan> linus committed it with a non-security comment
<arjan> so should we
<davej> ok

and the result of this was the now infamous debian core infrastructure compromise a few weeks later. what did you want to prove again?

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds