[License-discuss] Coordinated release of security vulnerability information.

Henrik Ingo henrik.ingo at avoinelama.fi
Sat Aug 24 16:00:43 UTC 2019


On Thu, Aug 22, 2019 at 11:40 PM Lukas Atkinson <opensource at lukasatkinson.de>
wrote:

> In the context of a source distribution requirement, a full 90 day embargo
> is unnecessarily long. At that point where a fix is first deployed by an
> operator, the issue has already been fixed and only distribution of patches
> to all operators remains to be done. It is in the interest of all users
> that this happens as expediently as possible. The only advantage that a
> long source embargo period would have is that an insider operator could
> deploy mitigations before a proper patch is available, but this still
> leaves the wider community vulnerable.
>

Note that the time window must consider more than a single vendor. Assume
(very hypothetically) that some TCP/IP flaw is found that affects many
operating systems. Linux vendors have their game together, and release
fixes within a week. But Microsoft and Apple need more time. The window in
CAL needs to be long enough so that the Linux vendors don't need to publish
source code before Microsoft and Apple released their fixes.

In general I'd say a longer window is better here. Most will want to
publish their source as soon as they are allowed anyway.

henrik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190824/3d627243/attachment.html>


More information about the License-discuss mailing list