Re: Closed list

[akuster <akuster () mvista com>]

On 04/12/2011 11:25 PM, Ronald van den Blink wrote:
> On 4/12/11 11:49 PM, "akuster" <akuster () mvista com> wrote:
>
> > On 04/11/2011 09:57 AM, Josh Bressers wrote:
> > > ----- Original Message -----
> > > > Postponed. I'd like to see any support for you getting onto the Linux
> > > > distros security contacts list, with reasoning, or/and any other
> > > > suggestions on what to do in this case. Josh - what do you think (as
> > > > someone who advocated the setup of a vendor-sec replacement)?
> > >
> > > My initial thought is that a vendor without public advisories is a
> > > liability.
> >
> > Making our Advisories public could put our customers' customers at risk
> > depending on when we publish and when our customers can get the fixes
> > into their customers hands and so on down the line.
> >
> > - Armin
> Hi Armin,
>
> Sorry for putting my $0.02 in the bucket here as well, but the whole
> purpose of a closed list is that you can fix them before releasing a
> public advisory. When you fixed it, the customers can (just like other
> dist's do, just get it patched before you publish it. 

Are you joking? I was told Embargoes could not be released to our
customers until the agreed to release date. That would change some
things and would be more like .02 euros.

- Armin

It's not that this
> is so strange, as closed source OS makers are doing the same (remember
> Black Tuesday's at MS and Apple's releases).
>
> Just my 2 cents.
>
> Ronald 
> Batavi.org
>
> >