[board] Fwd: [core] Coordination with Debian for security problems ?

[Chuck Hagenbuch]

Quoting Ben Klang <ben at alkaloid.net>:

> I agree with spirit of helping our biggest installs protect
> themselves, but we need to be careful and respectful of the grace
> period given to us by the security researchers who report the
> problems.  The ability to release the information is their value and
> their notification to us is a courtesy.  I would only feel
> comfortable including specific sites (or really, anyone beyond the
> core team and whoever actually codes the fix) if we can guarantee the
> information will be kept confidential until a coordinated release is
> made.  It *could* also raise a potentially sticky question of who
> gets the information and who does not (and why not).

Agreed. I've created vendor at lists.horde.org and subscribed some  
initial users from core, and Gregory from Debian. Subscription for  
other developers here will be opt-in, and needs to be approved by a  
list administrator (Jan or myself). Other admins are welcome - please  
just let me know.

We'll have to formalize a policy about this; I'm thinking I will write  
it up on the wiki. I don't see a reason to keep the existence of the  
vendor list secret, just to keep the contents confidential. The list  
will be publicly advertised on lists.horde.org, but subscription is  
moderated and the archives are private.

Again, feedback on this is welcome. It's not an idea out of nowhere,  
so we'll probably get most of this right, but we'll have to tweak it  
I'm sure.

-chuck