[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gpsd-dev] Moving ntpd to an open VCS

From: Gary E. Miller
Subject: Re: [gpsd-dev] Moving ntpd to an open VCS
Date: Wed, 23 Oct 2013 11:52:27 -0700

Yo Harlan!

On Wed, 23 Oct 2013 07:38:35 +0000
Harlan Stenn <address@hidden> wrote:

> > security patches private is not generally accepted by the
> > open-source community.  I'm not going to argue the merits here
> > because my personal views are not very relevant; what matters is
> > the social fact that most open source developers are fans of prompt
> > full disclosure, or at most a very short timeout. The minority that
> > partially agrees with you will not save you on any of these other
> > issues.
> I used to be in this camp of the open-source community.  I might still
> be, depending on the definition of "prompt".  The NTP Project's
> software is core infrastructure stuff.  It's not something people
> generally casually install.  If we get a security report, we contact
> folks like CERT and they get back to us and usually ask for at least
> a 45 day disclosure embargo after we get them patches so the OS
> vendors and various gov't agencies can prepare for the "announcement".

Yes, you really need to give the NSA a chance to exploit your bugs before
anyone can patch them.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
        address@hidden  Tel:+1(541)382-8588

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]