[$] CVE-2018-5390 and "embargoes"

A kernel bug that allows a remote denial of service via crafted packets wasfixed recently and the resulting patchwas merged on July 23. But an announcement of the flaw(which is CVE-2018-5390) was not released until August 6-a two-week window where userswere left in the dark. It was not just the patch that might have alertedattackers; the flaw was publicized in other ways, as well,before the announcement, which has led to some discussion of embargopolicies on the oss-security mailing list. Within free-software circles,embargoes are generally seen as a necessary evil, but delaying thedisclosure of an already-public bug does not sit well.