[board] Fwd: [core] Coordination with Debian for security problems ?
Ben Klang
ben at alkaloid.net
Tue Feb 5 22:37:59 UTC 2008
On Feb 5, 2008, at 5:33 PM, Nuno Loureiro wrote:
>
> I was going to agree with it, but Jan pointed out that this type of
> info should remain private and this list is not, so I agree with him.
> I would copy the subscribers of this list though, since besides
> developers, the remaining members are heavy users of Horde (or run the
> biggest Horde installations on earth) and it's good that they are
> notified in first hand of security problems.
>
I agree with spirit of helping our biggest installs protect
themselves, but we need to be careful and respectful of the grace
period given to us by the security researchers who report the
problems. The ability to release the information is their value and
their notification to us is a courtesy. I would only feel
comfortable including specific sites (or really, anyone beyond the
core team and whoever actually codes the fix) if we can guarantee the
information will be kept confidential until a coordinated release is
made. It *could* also raise a potentially sticky question of who
gets the information and who does not (and why not).
/BAK/
--
Ben Klang
Alkaloid Networks LLC
ben at alkaloid.net
404.475.4850
http://projects.alkaloid.net
>
> On Feb 5, 2008, at 22:09 , Jan Schneider wrote:
>
>> I would prefer a separate vendor@ mailing list for that. It should be
>> private, which board@ isn't.
>>
>> Zitat von Chuck Hagenbuch <chuck at horde.org>:
>>
>>> This is something I could see the board list being useful for. Is it
>>> mixing the purpose of the board too much to include security
>>> notifications? Should we set up a separate list/system for that?
>>>
>>> core@ could be, if there weren't too many people.
>>>
>>> ----- Forwarded message from reg at evolix.fr -----
>>> Date: Sun, 3 Feb 2008 03:43:47 +0100
>>> From: Gregory Colpart <reg at evolix.fr>
>>> Subject: [core] Coordination with Debian for security problems ?
>>> To: core at horde.org
>>>
>>> Hello,
>>>
>>> I'm member of pkg-horde team (two or three persons who create
>>> packages for Debian). We take care of security problems and we
>>> try to publish corrected Debian packages as soon as possible when
>>> we known new security bug [*]. Do you think possible to contact
>>> us *privately* when you have private disclosure in order to
>>> prepare fixed Debian package the day of public disclosure ?
>>> And more generally, having the best way to known when you find
>>> security problems (for now, we see them in Changelog of
>>> (RC-)release...) could be very helpful for us.
>>>
>>> [*] Last example is here : http://www.debian.org/security/2008/
>>> dsa-1470
>>>
>>> Regards,
>>> --
>>> Gregory Colpart <reg at evolix.fr> GnuPG:1024D/C1027A0E
>>> Evolix - Informatique et Logiciels Libres http://www.evolix.fr/
>>>
>>>
>>> ----- End forwarded message -----
>>>
>>>
>>> -chuck
>>> __
>>> board mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: board-unsubscribe at lists.horde.org
>>>
>>
>>
>>
>> Jan.
>>
>> --
>> Do you need professional PHP or Horde consulting?
>> http://horde.org/consulting/
>>
>> __
>> board mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: board-unsubscribe at lists.horde.org
>
> ----
> Nuno Loureiro <nuno at co.sapo.pt>
> PTMail - DTP/APS/UNX - PT.COM - Portugal Telecom
>
> PGP fingerprint = 8A32 5174 E80C 2D40 9075 405E C107 6592 054A 4D05
> http://keyserver.noreply.org/pks/lookup?
> op=get&fingerprint=on&search=0xC1076592054A4D05
>
>
>
> __
> board mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: board-unsubscribe at lists.horde.org
More information about the board
mailing list