[Koha-devel] Koha Library Software
Robin Sheat
robin at catalyst.net.nz
Fri Jun 3 14:29:32 CEST 2011
Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray:
> Please, no closed list for development discussions. If someone finds
> a security vulnerability and has a support provider, they should
> tell them. If they do not, contact the project release manager -
> hopefully we always have release managers who value security highly.
That's not really possible for people outside the project to figure out
easily. We want to make it as easy as possible for vulnerabilities to be
reported.
> I'd encourage everyone to practice full disclosure and discuss them on
> the BTS or koha-devel as much as possible.
That's not how responsible disclosure (which is distinct from, and an
improvement upon full disclosure) works. Typically you want as few people as
possible to know about the vulnerability until it's been patched and released.
This keeps the users as secure as is reasonably possible.
The standard approach, taken by many open source projects, is to have some
really easy way of confidentially reporting vulnerabilities, these are then
resolved and released, at which point an announcement is made. Ideally this
announcement consists of a workaround if possible, a patch for older versions
(if you can't upgrade for some reason), and a release with that patch
included.
This ensures that the risk of an active exploit finding it's way into the wild
is reduced before people have a reasonable chance to do something about it.
This is one of the few situations where I think development in private, or at
least semi-private, is a good thing.
--
Robin Sheat
Catalyst IT Ltd.
✆ +64 4 803 2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/koha-devel/attachments/20110604/66c7577f/attachment.pgp>
More information about the Koha-devel
mailing list