Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Solar Designer <solar-cxoSlKxDwOJWk0Htik3J/w <at> public.gmane.org>
Subject: Re: distros & linux-distros embargo period and message format
Newsgroups: gmane.comp.security.oss.general
Date: Wednesday 1st February 2012 20:54:59 UTC (over 5 years ago)
On Fri, Jan 20, 2012 at 01:44:45PM +0400, Solar Designer wrote:
> http://oss-security.openwall.org/wiki/mailing-lists/distros
> 
> to state the following:
> 
> "Please note that the maximum acceptable embargo period for issues
> disclosed to these lists is 14 to 19 days, with embargoes longer than 14
> days (up to 19) allowed in case the issue is reported on a Thursday or a
> Friday and the proposed coordinated disclosure date is thus adjusted to
> fall on a Monday or (preferably) a Tuesday.  Please do not ask for a
> longer embargo.  In fact, embargoes shorter than 14 days are preferable."

I've just revised the last sentence above to say "In fact, embargo
periods shorter than 7 days are preferable."

Can we possibly afford to change the maximum to 7 to 11 days (depending
on day of week)?  That is, 7 days is the standard maximum, up to 11 days
is possible if the issue is reported on a Thursday or a Friday (only in
these two cases).  I am for this change (in both my list member for
Openwall and my list admin capacity).  What about others?

(In fact, I'd prefer an even shorter maximum, but I am proposing what I
think has a chance to be approved by others without making the list a
lot less useful to them.)

Also, I added the following to the wiki page:

"Please note that any/all list postings may be made public once the
corresponding security issue is publicly disclosed, so please do not
post information that you want to stay private forever."

with a footnote that says:

"There was/is intent to be making all list postings public with a delay,
which is currently not yet implemented for technical reasons, but it may
be implemented and applied retroactively - that is, including to past
postings."

Those "technical reasons" are me not being aware of a program to
mass-decrypt an mbox with PGP/MIME messages (producing an mbox with
decrypted messages).  I'd appreciate it if someone finds or writes
this program.

Alexander
 
CD: 4ms