On Tue, Nov 15, 2005 at 07:53:28PM +0100, Bernhard R. Link wrote: > * Anthony Towns <aj@azure.humbug.org.au> [051115 03:12]: > > In accordance with principles of openness and transparency, Debian will > > seek to declassify and publish posts of historical or ongoing significance > > made to the Debian Private Mailing List. > > [...] > > * The team will automatically declassify and publish posts made to > > that list after three years, with the following exceptions: > ===== > >[...] > > - publication of posts that would reveal otherwise unpublished > > security vulnerabilities in currently supported releases of a > > Debian distribution will be deferred; > Are you serious?
Entirely. > If some such mail found its way to debian-private, it should be > considered published to all blackhat by that action already. (As it > will be sent unencrypted in several hundred copies over the internet, > lying around unencrypted in several hundred mailboxes, ...) And if it's been sent to -private three years ago, it should be fixed by now -- even if there wasn't an security update or a point release for it; there's been a major release since then. In the fairly unlikely event that the concept hasn't been published elsewhere in the meantime, hasn't been fixed (and thus published in the archive), and the author doesn't specifically say "publish", however, it seems pretty reasonable not to pass it on to any other blackhats who might not've already seen it. (Also, you missed the fact that master, which has unencrypted archives of -private, has been compromised in the past three years) > Such a point is such a list is a very bad joke, as it could be read > that: > - such a mail should not be published > - there are such mails > or even > - there are such mails still descriping something open 3 years later. Personally, I'd rather people spread FUD about Debian than have Debian not act with utmost care about publishing private notifications of security information. If you think "utmost care" is fixing them, and informing people about them "ASAP" is the way to do that (and -private isn't vendor-sec, after all), then that probably warrants some sort of separate handling than what I've written. Basically, if publishing is a good thing to handle security updates better, doing so only after three years is going to water that down into pointlessness. I don't see any major problem with adding something on, but I don't know what'd suffice. Suggestions appreciated... Cheers, aj
signature.asc
Description: Digital signature