Note: This is in no way meant to diminish Tal's work, and the following is meant as a general discussion about security reporting.
Guillem Jover <[email protected]> writes: > It does not help that there's no mention of the bug-inetutils address > being a publicly archived mailing list in the codebase. I've mentioned > that it would be nice to clarify this in the README, and ideally provide > a private method for security reports (either an email address or suggest > filing confidential ones on codeberg f.ex.), but this was dismissed and > it was stated that sending these kind of reports to the list was good > because more people then can help. What do you think about this suggested policy change? https://codeberg.org/inetutils/inetutils/pulls/26 I did not dismiss the suggestion to have a private reporting method, but the amount of crap reports I receive to my private inbox makes me hesitant about offering that as a default supported route. But we can try it to see if it leads to any improvement. When I ask people to make their report public, they sometimes refuse presumably because they realize it was a five minute AI slop work that will consume hours to understand and isn't uncommon to be invalid. I wish there were better ways to handle this asymmetric situation. FWIW, we've received Tal's report in private and are working on patches and allocating CVE identifiers. This will take more time than if that effort was done in public (e.g., both Collin and I are away over the weekend) where you and others could help to do the analysis and review patches. I'm not convinced that slow-down and closed nature of development, with reduced quality of review, is in the best interest of our users generally. Several of the InetUtils network servers implement inherently insecure protocols. Often the environment required to run these services securely in the first place (e.g., external VPN connection to a telnetd server) mitigate many security concerns. Suggestions how to better explain this aspect to users in the manual would be appreciated, but I believe it ought to be well understood through any modern literature about TELNET. /Simon
signature.asc
Description: PGP signature
