[sldev] Security Update 2008-10-06 to SL Viewers and source code- CLARIFICATION

Anders Arnholm Anders at Arnholm.se
Wed Oct 8 04:28:57 PDT 2008


Soft skrev:
> The least "widely used" viewer we shared source with has about 6
> users. It's honestly not a numbers game, which is why Rob said "widely
> available," not "widely used." We were reaching out to known viewer
> maintainers in advance of a full public source disclosure in order to
> reduce the chance of the information being misused.
>   
Rob was quick in sending the patch, that not what we discuss.
> Working with distributions to prep a fix before full source disclosure
> is common with open source projects, from the Linux kernel to the most
> popular ssh, network filesystem and office projects. If you have
> suggestions for refining the process, please - speak up. But I doubt
> any of us would advocate dumping a future exploit in the wild before
> we've even started QA on the fix.
>
>   
In this case I have to object, the details on how to write the exploit 
was in the release note. And yes it happed to send out code before to 
know developers, when it comes to open-ssh all developemt in the cvs is 
open to anyone to read. Not close stuff there and they have one of the 
higest trackrecords in security handling. To be honset all binaries that 
leave LL should been have passed QA. When you sent the build out, the 
code fix should have been QA passed (it was not a hard to check fix.). 
The problem in this case then comes with GPL, we who got the patch had 
to wait with releasing the bug fix for not violating the GPL.

When the binaries are out the code should be out, imho the two should 
alwars be built and packes in one command, all versions spread at the 
same time. Personally i think a open CM system is a great gain for any 
open source project. Linux have it, OpenBSD have it (OpenSSH). Firefox 
have it. I know LL have some internal politics making this hard :-)

But over all the fix as clear as possible as early as possible is a good 
thing there is nothing good in security by obsurity.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the SLDev mailing list