From owner-freebsd-questions@FreeBSD.ORG Tue Sep 15 11:18:45 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1172E106566C for ; Tue, 15 Sep 2009 11:18:45 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id D59F48FC19 for ; Tue, 15 Sep 2009 11:18:44 +0000 (UTC) Received: from working (pool-72-95-226-5.pitbpa.ftas.verizon.net [72.95.226.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id B9871EBC0A; Tue, 15 Sep 2009 07:18:43 -0400 (EDT) Date: Tue, 15 Sep 2009 07:18:26 -0400 From: Bill Moran To: Mel Flynn , dgoodin@theregister.com Message-Id: <20090915071826.a273c4fa.wmoran@potentialtech.com> In-Reply-To: <200909150122.43566.mel.flynn+fbsd.questions@mailing.thruhere.net> References: <4AAE95B2.5050409@sitpub.com> <20090914214642.GA12828@Grumpy.DynDNS.org> <200909150122.43566.mel.flynn+fbsd.questions@mailing.thruhere.net> X-Mailer: Sylpheed 2.7.0 (GTK+ 2.16.5; i386-portbld-freebsd7.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: reporter on deadline seeks comment about reported security bug in FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 11:18:45 -0000 Mel Flynn wrote: > > On Monday 14 September 2009 23:46:42 David Kelly wrote: > > On Mon, Sep 14, 2009 at 05:13:54PM -0400, illoai@gmail.com wrote: > > > Am 2009/9/14 Dan Goodin writhed: > > > > Hello, > > > > > > > > Dan Goodin, a reporter at technology news website The Register. > > > > Security researcher Przemyslaw Frasunek says versions 6.x through 6.4 > > > > of FreeBSD has a security bug. He says he notified the FreeBSD > > > > Foundation on August 29 and never got a response. We'll be writing a > > > > brief article about this. Please let me know ASAP if someone cares to > > > > comment. > > > > > > Has anyone submitted a PR about this? > > > > Przemyslaw Frasunek has PR's posted but none recent. IMO if a PR is not > > submitted then one has *not* informed the Powers That Be. > > Wrong. Security bugs should be reported to the security team, not PR'd. It's typical for security issues to be kept hushed until a fix is ready. As a result, there are usually no PRs, and in the case where the person who discovered the problem is amenable, there is no public discussion at all until a fix is available. Apparently, Mr. Frasunek started out down that path, which is admirable. It seems as if he doesn't have much patience, however, since he thinks that only 2 weeks is enough time to fix a security problem and QA the fix. -- Bill Moran http://www.potentialtech.com