| From: | Martijn van Oosterhout <kleptog(at)svana(dot)org> |
|---|---|
| To: | Greg Stark <gsstark(at)mit(dot)edu> |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: [pgsql-advocacy] MySQL worm attacks Windows servers |
| Date: | 2005-01-31 00:05:13 |
| Message-ID: | 20050131000512.GD13273@svana.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-advocacy pgsql-general pgsql-www |
On Sun, Jan 30, 2005 at 06:05:37PM -0500, Greg Stark wrote:
> There are always ways for a sysadmin to close the vulnerability, even if it
> means temporarily limiting access until the fix is available. How would you
> like to be a sysadmin that finds his system exploited only to discover that
> the vulnerability was known and he could have worked around it had he been
> informed but those in the know kept it secret until a patch was published.
While true, I think an argument can be made to notify as many people as
possible and posting to -core means a message is more likely to go
-announce where more PostgreSQL admins will see it. It's possible not
all admins will be reading -general.
> The only way keeping it secret is really justified is if a) You know no
> malicious persons are aware of the vulnerability (which of course one never
> really knows for certain) b) it's more reasonable for a sysadmin to run with
> the vulnerability than to work around it using whatever means necessary (and
> you feel comfortable making that decision for every sysadmin everywhere).
Sure. Actually for something as obvious as trusting network access I'd
actually assume the person posting it would be smart enough to point
out the solution as well. While I'm for public disclosure in general I
do think 24 hour notice is not too much to ask for.
And hey, given the volume of -general sending to security@ might get it
read a little earlier by people who can do something than just dumping
on the mailing list. My preferred scenario would be to actually ring
someone in -core on the phone and discuss it directly and work it out
from there. But I don't know the chances of that.
At the end of the day the people making the disclosure make the
decision, our discussing it won't make a difference there... :)
Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> Patent. n. Genius is 5% inspiration and 95% perspiration. A patent is a
> tool for doing 5% of the work and then sitting around waiting for someone
> else to do the other 95% so you can sue them.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ned Lilly | 2005-01-31 20:23:04 | PostgreSQL at LinuxWorld Boston |
| Previous Message | Greg Stark | 2005-01-30 23:05:37 | Re: [pgsql-advocacy] MySQL worm attacks Windows servers |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | elein | 2005-01-31 01:01:36 | Re: example for read committed/volitile functions |
| Previous Message | Tom Lane | 2005-01-30 23:51:42 | Re: example for read committed/volitile functions |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2005-01-31 02:53:46 | Re: Linux Seminar Sheffield UK - 2nd March 2005 |
| Previous Message | Greg Stark | 2005-01-30 23:05:37 | Re: [pgsql-advocacy] MySQL worm attacks Windows servers |