[License-discuss] Coordinated release of security vulnerability information.

John Sullivan johns at fsf.org
Fri Aug 23 20:43:20 UTC 2019


VanL <van.lindberg at gmail.com> writes:

> Hi Lukas,
>
> Thanks for your reply. Based on your response, as well as the other
> responses here, it seems like the structure of this clause is
> non-problematic.
>
> However:
>
> On Thu, Aug 22, 2019 at 3:14 PM Lukas Atkinson <opensource at lukasatkinson.de>
> wrote:
>
>> However, that 90 day window is awfully long... In the context of a source
>> distribution requirement, a full 90 day embargo is unnecessarily long. At
>> that point where a fix is first deployed by an operator, the issue has
>> already been fixed and only distribution of patches to all operators
>> remains to be done. It is in the interest of all users that this happens as
>> expediently as possible. The only advantage that a long source embargo
>> period would have is that an insider operator could deploy mitigations
>> before a proper patch is available, but this still leaves the wider
>> community vulnerable.
>>
>
> I see this point. Having been inside a SaaS vendor, though, I am sometimes
> astounded that anything gets done at all. My thinking is that conforming
> with "standard" timeframes is most likely to encourage proper behavior by
> vendor/operators, even if it would not be ideal in isolation - thus
> increasing welfare on average.
>
> We could also do something like 60 days, which is shortened, but still long
> enough to allow for slow corporate processes.
>
> Thoughts on this response? Also, any thoughts from others?
>

I'd be a little worried about what people might define as a "fix". Is
there any opportunity there to shoehorn other things into that category
/ what's the check on that? Since many companies have over the years
called things security fixes or bundled things with security fixes that
are either clearly not or that very much depend on who is defining both
"security" and "fix".

-john

-- 
John Sullivan | Executive Director, Free Software Foundation
GPG Key: A462 6CBA FF37 6039 D2D7 5544 97BA 9CE7 61A0 963B
https://status.fsf.org/johns | https://fsf.org/blogs/RSS

Do you use free software? Donate to join the FSF and support freedom at
<https://my.fsf.org/join>.



More information about the License-discuss mailing list