Hi Ricardo, * Ricardo Mones <[EMAIL PROTECTED]> [2007-12-05 13:15]: > On Tue, 04 Dec 2007 14:58:26 +0100 > Nico Golde <[EMAIL PROTECTED]> wrote: > > * Colin Leroy <[EMAIL PROTECTED]> [2007-12-04 13:05]: > > > This bug is going to be fixed. > > > > > > Would it be too much to ask the submitter to handle security issues > > > privately until they're resolved, or is it more interesting to have > > > them published all over the place[*] when no solution is available? > > [...] > > To make it short yes. I do not share your policy for > > handling security relevant bugs especially if you consider > > This is not a upstream policy, is how most people expect security bugs to > be handled and is part of our Developers Reference [0]. I also know > confidentiality it's not required for minor bugs.
I am aware of how to proceed with security bugs, however the referenced text is only useful for packages that will get a DSA and for people who believe in the opposite of full-disclosure what I don't. > > that upstream authors are fairly often unresponsive and this > > bug is of minor importance. > > Yep I agree the bug has minor importance, but generalising on upstream > unresponsiveness as justification for not sending a notice is not a good > idea. Mainly because it makes you look like you don't think or read before > posting, specially when the upstream of that precise script is also the > package maintainer. It also gives arguments to upstreams on generalising how > stupid DDs can be... :-P Well I had email conversation with nearly every claws developer now about this and already had while they had a vulnerable version on their website... I really have no motivation to discuss this further, have a look in your own [EMAIL PROTECTED] mailbox. > > This is no remote root exploit so I don't see your problem. If you don't > > I don't see your problem either in sending a private mail first, specially > when there's a explicit request to do it from upstream. Simply because I don't share this opinion. > > want people to write about what you do, then you should not publish > > software. What I did is seing a bug and using the BTS of my > > distribution to report it, nothing more. > > Pretending you're 'just using the BTS' is even more stupid than the > previous justification or reveals a serious lack of knowledge about how > security bugs are spread. Can you stop the trolling now? What is stupid is that I get mails by every single claws-mails upstream developer asking me to contact them first while a developer of them is actually the Debian maintainer, this is stupid if you ask me cause its your job to tell your fellow developers about this. And seriously you guys should start fixing stuff instead of being pissed off because it was spread about security sites (which was not what I did) and being pissed of because of a bad review in the Linux magazine (at least thats what I got told by a fellow developer of you). > I know Colin's words were probably not in the best tone, but his request > is fair: nobody likes reading "There was no vendor-supplied solution at the > time of entry." in a security tracker when he had no opportunity to solve the > problem. Then go and piss the guys of secwatch off because I am _NOT_ the one who wrote this text, thanks! > Your bug report was good, there was no need to made stupid justifications, > and Colin wasn't saying the opposite, just requested coordination. Yes and he did when I already got mails by other developers stating and asking the same in a more or less unfriendlier way: Hi Nico you could contact the team before to write "There was no vendor-supplied solution at the time of entry." Really, the whole discussion ended yesterday and now you really need to give your additional words that don't help too? You guys should really start working on things instead of wasting your time with email. And to be honest, I am not going to contact any of you guys if I find some bug again, simple because you showed that you are not able to handle this just because of some bad press. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgp1w2LUEQd3J.pgp
Description: PGP signature
