Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It doesn't matter if they show "responsibly disclosed" all their repos are publicly available to see, it takes one person looking through commits then going wtf is this followed by a quick look at the code and a blog post to make this a wildfire.


Every major linux distro has a procedure in place for discreetly preparing updates for pre-disclosure security flaws.


It only takes one person on any of these teams to leak the details and the cat is out of the bag, and then the scramble is on.

Considering the circumstances, it appears that the process that was followed with regards to the release was as flawless as it could have been.


If this is really the case, there is no excuse.


I think the notion is the distro security team codes and tests a patch, but doesn't commit the code to public repos or release the patch publicly until an agreed-upon disclosure date.


Not necessarily that the distro security team codes the patch even. In most cases, upstream (e.g. openssl here) should have an official patch/commit that is private, but is given to these trusted distros. The security team only has to create a package with the upstream patch.

Other than that, yes, that's exactly the notion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: