The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vendor-sec disclosure policy

Hi all,

On Fri, 18 Jul 1997 17:59:18 BST, Enrique Zanardi wrote:
[Quoted message from vendor-sec deleted]

Let me ask people to not re-distribute things posted to this list too
widely. Information posted here can be either confidential (about
security holes not yet disclosed; forwarded info from CERT), or
preliminary (MD5sums of fixes may change if the distributor goes through
another test cycle before releasing the update info), etc.

Therefore, it is not a good idea to re-post this info to other mailing
lists, as Enrique did. It is desirable to include individual maintainers
in the discussion of a particular fix, but general information leakage
will only complicate our work.

Currently, there are two addresses on the list that are obvious mailing
list aliases, security@caldera.com and security@debian.org. I know that on
the caldera alias, there are currently 8 ppl from both Caldera and LST.
How many are there on the Debian list? I would feel a little reluctant
about posting confidential info to this list if it turns out that
it is being resent to 100+ people by way of exploders or procmail filters.
Also, there seems to be interest at DFN-CERT to use this list as a general
sink for Linux-related security information they receive, which may also
be strictly confidential if it affects other OSes besides Linux.

Related topic: I already had a short exchange with Erik about how to deal
with releasing bug-fix information to users. My opinion on this is that
as long as the bug has been disclosed on any public list or newsgroup,
there's no need to introduce a waiting period before you make your fix
available for FTP, or announce it to your users over your user mailing
lists. The joint announcements are just a way to group all these infos
in a single message that can then be posted to cola or linux-security,
any maybe forwarded to CERT lists etc. In the first place, it's a service
to users who are not on their distributor's mailing list, and it's a PR
thing to give Linux a more professional image.

On the other hand, I feel that for bugs that have not yet been disclosed
publicly, closer coordination is wanted. In cases like these, I would
suggest we release fixes in sync with the announcements.

Do people feel this is a reasonable approach?

Olaf
-- 
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
             For my PGP public key, finger okir@brewhq.swb.de.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .