|
From: | Gerry Creager - NOAA Affiliate |
Subject: | Re: [gpsd-dev] Moving ntpd to an open VCS |
Date: | Wed, 23 Oct 2013 15:20:59 -0500 |
"Gary E. Miller" writes:> > ...
> On Wed, 23 Oct 2013 07:38:35 +0000
> Harlan Stenn <address@hidden> wrote:
>
> > > security patches private is not generally accepted by the
> > > open-source community. I'm not going to argue the merits here
> > > because my personal views are not very relevant; what matters is
> > > the social fact that most open source developers are fans of prompt
> > > full disclosure, or at most a very short timeout. The minority that
> > > partially agrees with you will not save you on any of these other
> > > issues.
> >
> > be, depending on the definition of "prompt". The NTP Project'sAre you joking?
> > software is core infrastructure stuff. It's not something people
> > generally casually install. If we get a security report, we contact
> > folks like CERT and they get back to us and usually ask for at least
> > a 45 day disclosure embargo after we get them patches so the OS
> > vendors and various gov't agencies can prepare for the "announcement".
>
> Yes, you really need to give the NSA a chance to exploit your bugs before
> anyone can patch them.
If not, please consider some other possibilities where that is a myopic
and half-baked response, borderline pernicious, and paints you in an ill
light.
H
[Prev in Thread] | Current Thread | [Next in Thread] |