From owner-freebsd-security  Mon Jun 24 19:22:19 2002
Delivered-To: freebsd-security@freebsd.org
Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51])
	by hub.freebsd.org (Postfix) with SMTP id 5D80537B40A
	for <security@FreeBSD.ORG>; Mon, 24 Jun 2002 19:22:15 -0700 (PDT)
Received: (qmail 34400 invoked from network); 25 Jun 2002 02:22:34 -0000
Received: from unknown (HELO notgod.com) (64.168.159.218)
  by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 02:22:33 -0000
Message-ID: <3D17D3BE.8010803@notgod.com>
Date: Mon, 24 Jun 2002 19:21:50 -0700
From: Brian Nelson <notgod@notgod.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Theo de Raadt <deraadt@cvs.openbsd.org>
Cc: Jason Stone <jason-fbsd-security@shalott.net>,
	FreeBSD Security <security@FreeBSD.ORG>
Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability 
References: <200206250156.g5P1upLJ029822@cvs.openbsd.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Level: 
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Theo de Raadt wrote:

> Jason is begging that I release a patch tomorrow.  What do you the
> rest of you think?  Do you wish to be immunized first or should we
> just post a patch, and have a public exploit a day later?

Just tossing an idea out (that I am sure a great number of you will not 
like)...

How about working with the OS security officer (and whoever else) to 
release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not 
have the patches committed into public view (CVS, etc) until you feel 
it's the rigt time to release the specifics...  I would think this would 
minimize exposure while allowing people to secure their machines...

Of course, this assumes that you (and other people) trust the SO's not 
to use and/or publish the information without your permission...  maybe 
copywriting the source (like the OpenBSD iso) and then you can manage 
the permissions on the source patch...  and release the rights on the 
patch when the moon aligns with Orion's belt....

   -Brian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message