Re: Security reports in bugzilla?

From: Franck Martin <franck sopac org>
To: Telsa Gwynne <hobbit aloss ukuu org uk>
Cc: gnome-2-0-list gnome org, gnome-devel-list gnome org
Subject: Re: Security reports in bugzilla?
Date: 24 Dec 2001 02:59:45 +0000

On Sun, 2001-12-23 at 14:09, Telsa Gwynne wrote:

Reformatted for sanity: it's chaos trying to deal with email with
people adding at top and bottom: 

> > > The Free Software Foundation is for total disclosure as soon as
> > > possible. Microsoft is for total secrety until the patch is 
> > > released. There are arguments on both sides of the story, and 
> > > a search on the Internet will give you all the arguments of both 
> > > camps. However GNU , I think, is for total disclosure as early 
> > > as possible, so as the G in GNOME means GNU then the path is easy 
> > > to follow.
> >
> > Could you send us a link to this? I have never heard a stance by GNU or
> > the FSF on security hole disclosure...
>
> http://www.linuxtoday.com/news_story.php3?ltsn=2000-10-17-014-04-SC-CY
> From Eric S. Raymond:
> http://linuxtoday.com/news_story.php3?ltsn=2001-10-20-002-20-OP-MS

Eric Raymond is unlikely to speak on behalf of the Free Software 
Foundation or with the GNU Project. They're both in the "free 
software" camp. ESR is in the "open source" camp. Indeed, he 
practically founded it :)

Like Seth, I would be very curious to see an official piece from 
the FSF or from the GNU Project advocating that as soon as a hole 
is discovered, it should be publicised as widely as possible. 
Those particular groups rather than security experts or open source
folk. Just because the reference to that surprised me. 

Your first URL is a round table discussion from open source types;
it's not about "When a hole is found, send it straight to bugtraq",
which seems to me to be the logical extension of what you're saying.
It's about "Proprietary companies hide the source. We don't. We
think having it public is good -- even though you can have trouble
when a hole is found by someone not so nice". 

GNOME makes all the source available to everyone anyway.
So we do what they're advocating. 

Your second URL is a response to MS's saying "closed software is
safe software". Again, ESR is saying that having the code out there
helps people spot problems and fix them. 

In the thread so far, you seem to be saying that if a hole is found,
the existence must be immediately disseminated to everyone.

I think maintainers hate that. The fairer way is to tell
maintainers first and give them a time limit. "If not fixed
without xxx time, then I will post it more widely." 

This gives them a chance to fix it and *test* the fix so that
the fix can go out with the alert. The fix has to be right. 
A partial fix is worse: 

	* users think they're protected
	* bad guys go to see what the hole was so they can look
for similar in future. They'll do that anyway, but if they realise
the fix was incomplete they have a field day attacking "fixed"
systems.
	* confidence in the software is lowered as a result

This is why distributions have QA departments: even the most
pressing security fixes have to pass the QA tests. At least,
I really hope so! 

I know a few maintainers of everything from minor apps to 
libraries used by many programs to people in charge of parts
of the linux kernel. It's my impression that all of them 
react far better to a "here's the hole, fix it in a reasonable
time before I announce it" than to a deluge of emails pointing
them to the fact their software is up there on bugtraq.

So do their partners. I have had more than one night out cancelled
as a result of people posting holes to bugtraq without informing
software maintainers first. :) 

Telsa

http://www.zdnet.com/zdnn/stories/comment/0,5859,2615973,00.html
http://asia.cnn.com/2000/TECH/computing/07/31/ranum.on.security.idg/
http://www.theregister.co.uk/content/8/18493.html
http://www.zdnet.com/zdnn/stories/news/0,4586,2637904,00.html?chkpt=zdhpnews01

I don't disagree with you. I may have get mixed up between ESR and FSF. However I think lately there is a great deal of talk about full disclosure as on the above links.

The problem is that people publish on bugtraq because it is a single point of contact, and apparently there has been mixed responses from companies...

I think bugzilla should allow the possibility to flag somethng as security vulnerability, or there should be a big statement on the gnome web page on what to do if you find somethng insecure...

Gnome needs a clear open policy about security issues.

Cheers.
Franck

Follow-Ups:
- Re: Security reports in bugzilla?
  - From: Telsa Gwynne

References:
- libgnomeprint status/usage
  - From: Lauris Kaplinski
- Security reports in bugzilla?
  - From: Franck Martin
- Re: Security reports in bugzilla?
  - From: Telsa Gwynne
- Re: Security reports in bugzilla?
  - From: Ross Golder
- Re: Security reports in bugzilla?
  - From: Gregory Leblanc
- Re: Security reports in bugzilla?
  - From: Franck Martin
- Re: Security reports in bugzilla?
  - From: Seth Nickell
- Re: Security reports in bugzilla?
  - From: Franck Martin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]