On Tue, 25 Apr 2006, Javier Fernández-Sanguino Peña wrote: > On Mon, Apr 24, 2006 at 09:54:11PM -0700, Don Armstrong wrote: > > Here we basically have two choices. > > Who's *we*? Have you talked to the security team or is this just > wishful thinking?
We == People contributing to Debian; IE, the project. > > 1. Certain people sign NDAs/agreements to get the early disclosure > > information; in return they cannot disclose the information. We > > lose transparency, but security bugs can be fixed before they're > > (widly) known in the wild. > > The Security Team has not signed any NDA, but a requisite to be on > vendor-sec [1] is to keep the confidentiality of the list. This has > been the status quo for years, it makes sense in a world where the > bad guys do reverse engineering of security patches to develop worms > and exploits, and it helps the Security Team provide better security > for our users (remember, SC #4). Right; I was attempting to indicate that an NDA or an agreement of some kind was in place for the different lists. [I don't follow this area very closely, but ISTR there being a list besides vendor-sec which required an NDA or something similar.] In any case, regardless of the legal form, the practical outcome is the same. Don Armstrong -- Build a fire for a man, an he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life. -- Jules Bean http://www.donarmstrong.com http://rzlab.ucr.edu
