[Koha-devel] Koha Library Software

[Robin Sheat]

Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray:
> Please, no closed list for development discussions.  If someone finds
> a security vulnerability and has a support provider, they should
> tell them.  If they do not, contact the project release manager -
> hopefully we always have release managers who value security highly.

That's not really possible for people outside the project to figure out 
easily. We want to make it as easy as possible for vulnerabilities to be 
reported.
 
> I'd encourage everyone to practice full disclosure and discuss them on
> the BTS or koha-devel as much as possible.

That's not how responsible disclosure (which is distinct from, and an 
improvement upon full disclosure) works. Typically you want as few people as 
possible to know about the vulnerability until it's been patched and released. 
This keeps the users as secure as is reasonably possible.

The standard approach, taken by many open source projects, is to have some 
really easy way of confidentially reporting vulnerabilities, these are then 
resolved and released, at which point an announcement is made. Ideally this 
announcement consists of a workaround if possible, a patch for older versions 
(if you can't upgrade for some reason), and a release with that patch 
included.

This ensures that the risk of an active exploit finding it's way into the wild 
is reduced before people have a reasonable chance to do something about it.

This is one of the few situations where I think development in private, or at 
least semi-private, is a good thing.

-- 
Robin Sheat
Catalyst IT Ltd.
✆ +64 4 803 2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/koha-devel/attachments/20110604/66c7577f/attachment.pgp>