On Sun, Jan 30, 2005 at 06:05:37PM -0500, Greg Stark wrote: > There are always ways for a sysadmin to close the vulnerability, even if it > means temporarily limiting access until the fix is available. How would you > like to be a sysadmin that finds his system exploited only to discover that > the vulnerability was known and he could have worked around it had he been > informed but those in the know kept it secret until a patch was published. While true, I think an argument can be made to notify as many people as possible and posting to -core means a message is more likely to go -announce where more PostgreSQL admins will see it. It's possible not all admins will be reading -general. > The only way keeping it secret is really justified is if a) You know no > malicious persons are aware of the vulnerability (which of course one never > really knows for certain) b) it's more reasonable for a sysadmin to run with > the vulnerability than to work around it using whatever means necessary (and > you feel comfortable making that decision for every sysadmin everywhere). Sure. Actually for something as obvious as trusting network access I'd actually assume the person posting it would be smart enough to point out the solution as well. While I'm for public disclosure in general I do think 24 hour notice is not too much to ask for. And hey, given the volume of -general sending to security@ might get it read a little earlier by people who can do something than just dumping on the mailing list. My preferred scenario would be to actually ring someone in -core on the phone and discuss it directly and work it out from there. But I don't know the chances of that. At the end of the day the people making the disclosure make the decision, our discussing it won't make a difference there... :) Have a nice day, -- Martijn van Oosterhout <kleptog@xxxxxxxxx> http://svana.org/kleptog/ > Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a > tool for doing 5% of the work and then sitting around waiting for someone > else to do the other 95% so you can sue them.
Attachment:
pgpU0X1H06nj5.pgp
Description: PGP signature