[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gpsd-dev] Moving ntpd to an open VCS

From: Harlan Stenn
Subject: Re: [gpsd-dev] Moving ntpd to an open VCS
Date: Wed, 23 Oct 2013 19:58:35 +0000

"Gary E. Miller" writes:

> On Wed, 23 Oct 2013 07:38:35 +0000
> Harlan Stenn <address@hidden> wrote:
> > > security patches private is not generally accepted by the
> > > open-source community.  I'm not going to argue the merits here
> > > because my personal views are not very relevant; what matters is
> > > the social fact that most open source developers are fans of prompt
> > > full disclosure, or at most a very short timeout. The minority that
> > > partially agrees with you will not save you on any of these other
> > > issues.
> >
> > ...
> > be, depending on the definition of "prompt".  The NTP Project's
> > software is core infrastructure stuff.  It's not something people
> > generally casually install.  If we get a security report, we contact
> > folks like CERT and they get back to us and usually ask for at least
> > a 45 day disclosure embargo after we get them patches so the OS
> > vendors and various gov't agencies can prepare for the "announcement".
> Yes, you really need to give the NSA a chance to exploit your bugs before
> anyone can patch them.

Are you joking?

If not, please consider some other possibilities where that is a myopic
and half-baked response, borderline pernicious, and paints you in an ill


reply via email to

[Prev in Thread] Current Thread [Next in Thread]