[board] Fwd: [core] Coordination with Debian for security problems ?

Gunnar Wrobel wrobel at pardus.de
Wed Feb 6 06:18:58 UTC 2008


Hi,

Chuck Hagenbuch <chuck at horde.org> writes:

> Quoting Ben Klang <ben at alkaloid.net>:
>
>> I agree with spirit of helping our biggest installs protect
>> themselves, but we need to be careful and respectful of the grace
>> period given to us by the security researchers who report the
>> problems.  The ability to release the information is their value and
>> their notification to us is a courtesy.  I would only feel
>> comfortable including specific sites (or really, anyone beyond the
>> core team and whoever actually codes the fix) if we can guarantee the
>> information will be kept confidential until a coordinated release is
>> made.  It *could* also raise a potentially sticky question of who
>> gets the information and who does not (and why not).
>
> Agreed. I've created vendor at lists.horde.org and subscribed some  
> initial users from core, and Gregory from Debian. Subscription for  
> other developers here will be opt-in, and needs to be approved by a  
> list administrator (Jan or myself). Other admins are welcome - please  
> just let me know.

Could you add me with wrobel at gentoo.org on that list as well? I'm
currently not responsible for the Gentoo packages but I'm handling web
apps in general. And I'll ask vapier at gentoo.org (the current
maintainer) if he wants to be added too.

Thanks!

Cheers,

Gunnar

>
> We'll have to formalize a policy about this; I'm thinking I will write  
> it up on the wiki. I don't see a reason to keep the existence of the  
> vendor list secret, just to keep the contents confidential. The list  
> will be publicly advertised on lists.horde.org, but subscription is  
> moderated and the archives are private.
>
> Again, feedback on this is welcome. It's not an idea out of nowhere,  
> so we'll probably get most of this right, but we'll have to tweak it  
> I'm sure.
>
> -chuck
> __ 
> board mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: board-unsubscribe at lists.horde.org

-- 
____ http://www.pardus.de _________________ http://gunnarwrobel.de _

E-mail : p at rdus.de                                 Dr. Gunnar Wrobel
Tel.   : +49 700 6245 0000                         Bundesstrasse 29
Fax    : +49 721 1513 52322                        D-20146 Hamburg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   >> Mail at ease - Rent a kolab groupware server at p at rdus <<                 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


More information about the board mailing list