Date: Mon, 24 Jun 2002 19:21:50 -0700 From: Brian Nelson <notgod@notgod.com> To: Theo de Raadt <deraadt@cvs.openbsd.org> Cc: Jason Stone <jason-fbsd-security@shalott.net>, FreeBSD Security <security@FreeBSD.ORG> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability Message-ID: <3D17D3BE.8010803@notgod.com> References: <200206250156.g5P1upLJ029822@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Theo de Raadt wrote: > Jason is begging that I release a patch tomorrow. What do you the > rest of you think? Do you wish to be immunized first or should we > just post a patch, and have a public exploit a day later? Just tossing an idea out (that I am sure a great number of you will not like)... How about working with the OS security officer (and whoever else) to release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not have the patches committed into public view (CVS, etc) until you feel it's the rigt time to release the specifics... I would think this would minimize exposure while allowing people to secure their machines... Of course, this assumes that you (and other people) trust the SO's not to use and/or publish the information without your permission... maybe copywriting the source (like the OpenBSD iso) and then you can manage the permissions on the source patch... and release the rights on the patch when the moon aligns with Orion's belt.... -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D17D3BE.8010803>