Fedora 7 and the Security Response Team

Kevin Fenzi kevin at tummy.com
Mon Jun 11 22:54:25 UTC 2007


On Mon, 11 Jun 2007 14:55:43 -0400
Christopher Aillon <caillon at redhat.com> wrote:

> Kevin Fenzi wrote:
> > - Should the filed bug have a CC to the list? I guess you mentioned
> > this above. I think it's probibly a good idea so folks can see the
> > progress of fixes. 
> 
> I don't think we want to do this.  Imagine someone files a bug to us 
> with an embargo date of: future.  Someone reading the list archives 
> could easily get that information and release it to the public ahead
> of the embargo date.  Essentially, by cc:ing a public list, we broke
> the embargo ourselves.

Agreed, to be avoided. Can't we simply not add CC to the bugs that are
under an embargo? Or is there no simple way to tell?

> We want to honor embargos as much as possible, so we can continue
> being in good favor with those who give us advance notification. 
> Additionally, when we are planning to release something on a given
> day, and it turns out to get leaked, we have to scramble much more
> quickly. Not good for many reasons.

Absolutely. 

At the same time, bugs that are public already I think it's good to see
progress on the list/in bugzilla. We may spot cases where maintainers
need help, want more info, or otherwise could use input from the
security list. 

Just my 2cents tho... if it's decided not to CC the list thats fine
too. 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-security-list/attachments/20070611/75b904de/attachment.sig>


More information about the Fedora-security-list mailing list