[Koha-devel] Koha Library Software

Mon Jun 6 10:34:17 CEST 2011

Robin Sheat wrote:
> Op vrijdag 3 juni 2011 22:03:50 schreef MJ Ray:
> > Please, no closed list for development discussions.  If someone finds
> > a security vulnerability and has a support provider, they should
> > tell them.  If they do not, contact the project release manager -
> > hopefully we always have release managers who value security highly.
> 
> That's not really possible for people outside the project to figure out 
> easily. We want to make it as easy as possible for vulnerabilities to be 
> reported.

So let's document the current practice and make it easier?  Changing
the process, adding more steps and special bug cases seems wrong.

> > I'd encourage everyone to practice full disclosure and discuss them on
> > the BTS or koha-devel as much as possible.
> 
> That's not how responsible disclosure (which is distinct from, and an 
> improvement upon full disclosure) works. Typically you want as few people as 
> possible to know about the vulnerability until it's been patched and released. 
> This keeps the users as secure as is reasonably possible.

Delayed disclosure (the neutral name for what you describe, because it
is highly irresponsible in the eyes of full-disclosure supporters) has
often gone too far and resulted in people trying to keep problems
secret for far too long, like until every vulnerable system is
patched.  There are also the risks that someone inside the privileged
group leaks information to attackers, while good people outside that
privileged group don't even know that there's a problem.

Basically, what type of people are we?  Would we tell our neighbours
that their homes are insecure when there's a burglar about?  Or would
we keep quiet until we figured out how to secure our own home first?

As far as I know, early all of the vulnerabilities that Koha has
suffered have been discoverable with fairly simple tools if you knew
where to point them - most have needed some access to intranet or
related websites, thankfully.

> The standard approach, taken by many open source projects, is to have some 
> really easy way of confidentially reporting vulnerabilities, these are then 
> resolved and released, at which point an announcement is made. [...]

I don't think there is any such standard (got a link?).  Yes, many
"open source" projects are really closed when it comes to security,
but popularity is not a good argument for something, else Koha would
almost never be adopted.

The disagreement between full and delayed disclosure has been going on
in general for at least 150 years, and over 20 for internet security.
We're probably not going to change each others' views, but at least
know that not everyone wants delayed disclosure.

Hope that explains,
-- 
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire for various work through http://www.software.coop/