Re: thoughts on kernel security issues

[Linus Torvalds]

On Thu, 13 Jan 2005, Alan Cox wrote:
>
> >  - _short_ embargo, for kernel-only. I obviously believe that vendor-sec 
> >    is whoring itself for security firms and vendors. I believe there would 
> >    be a place for something with stricter rules on disclosure.
> 
> Seems these two could be the same list with a bit of respect for users
> wishes and common sense.

Possibly. On the other hand, I can well imagine that the list of
subscribers is different for the two cases. The same way I refuse to have
anything to do with vendor-sec, maybe somebody else refuses to honor even
a five-day rule, but would want to be on the "no rules, but let's be clear
that we're all good guys, not gray or black-hats.

Also, especially with a hard rule, there's just less confusion, I think, 
if the two are separate. Otherwise you'd have to have strict Subject: line 
rules or something - which basically means that they are separate lists 
anyway.

But hey, it's not even clear that both are needed. With a short enough 
disclosure requirement, maybe people feel like the "five-day rule, 
possible explicitly _relaxed_ by the original submitter" is sufficient.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/