Stenberg: Pre-notification dilemmas

by
corbet
from LWN.net on (#6A9T8)
Curl maintainer Daniel Stenberg expressessome frustrations with the vulnerability notification policiesmaintained by the distros mailing list.

The week before we were about to ship the curl 8.0.0 release, Iemailed the distros mailing list again like I have done so manytimes before and told them about the upcoming six(!)vulnerabilities we were about to reveal to the world.

This time turned out to be different.

Because of our updated policy where the fixes were alreadycommitted in a public git repository, the distros mailing list'spolicy says that if there is a public commit they consider theissue to be public and thus they refuse to accept any embargo.

What they call embargo I of course call heads-up time.

The kernel project has run into similarissues in the past.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments