oss-sec mailing list archives
Re: membership request to the closed linux-distros security mailing list
From: Marcus Meissner <meissner () suse de>
Date: Fri, 20 Mar 2015 16:55:54 +0100
On Fri, Mar 20, 2015 at 08:54:29AM -0700, Anthony Liguori wrote:
On Fri, Mar 20, 2015 at 8:50 AM, Stuart Henderson <stu () spacehopper org> wrote:On 2015/03/20 08:16, Anthony Liguori wrote:I think the alternative is to formalize what already appears to be the existing practice: disclose distros@ on the existence of a vulnerability but require direct contact for the details of the vulnerability if the submitter/upstream thinks the impact is high.Are private lists even needed if this policy is taken?I think there's a lot of value in being able to just send a low-medium impact issue to a single list of groups that have gone through some level of vetting without needing to respond directly to individuals and making value judgements. I also think it's helpful to have a single point of contact so that an upstream isn't dealing with 10 different people from a single organization asking for details.
Why not just publishing a low - medium impact vulnerability directly? Embargoe handling alwas also has some overhead , which is not necessary in such cases. Ciao, Marcus
Current thread:
- membership request to the closed linux-distros security mailing list Sona Sarmadi (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Solar Designer (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Stuart Henderson (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Marcus Meissner (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Daniel Micay (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Kurt Seifried (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Anthony Liguori (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Solar Designer (Mar 20)
- Re: membership request to the closed linux-distros security mailing list Florian Weimer (Mar 22)
- Re: membership request to the closed linux-distros security mailing list Alan Coopersmith (Mar 20)