[sldev] Security Update 2008-10-06 to SL Viewers and source code-
Anders at Arnholm.se
Wed Oct 8 04:28:57 PDT 2008
> The least "widely used" viewer we shared source with has about 6
> users. It's honestly not a numbers game, which is why Rob said "widely
> available," not "widely used." We were reaching out to known viewer
> maintainers in advance of a full public source disclosure in order to
> reduce the chance of the information being misused.
Rob was quick in sending the patch, that not what we discuss.
> Working with distributions to prep a fix before full source disclosure
> is common with open source projects, from the Linux kernel to the most
> popular ssh, network filesystem and office projects. If you have
> suggestions for refining the process, please - speak up. But I doubt
> any of us would advocate dumping a future exploit in the wild before
> we've even started QA on the fix.
In this case I have to object, the details on how to write the exploit
was in the release note. And yes it happed to send out code before to
know developers, when it comes to open-ssh all developemt in the cvs is
open to anyone to read. Not close stuff there and they have one of the
higest trackrecords in security handling. To be honset all binaries that
leave LL should been have passed QA. When you sent the build out, the
code fix should have been QA passed (it was not a hard to check fix.).
The problem in this case then comes with GPL, we who got the patch had
to wait with releasing the bug fix for not violating the GPL.
When the binaries are out the code should be out, imho the two should
alwars be built and packes in one command, all versions spread at the
same time. Personally i think a open CM system is a great gain for any
open source project. Linux have it, OpenBSD have it (OpenSSH). Firefox
have it. I know LL have some internal politics making this hard :-)
But over all the fix as clear as possible as early as possible is a good
thing there is nothing good in security by obsurity.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the SLDev