• Atemu@lemmy.ml
    link
    fedilink
    arrow-up
    59
    arrow-down
    7
    ·
    10 months ago

    Security-critical C and memory safety bugs. Name a more iconic duo…

    I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.

    • clever_banana
      link
      fedilink
      arrow-up
      13
      arrow-down
      1
      ·
      10 months ago

      Public disclosure is typically done 90 days after Deva are privately notified. That should be enough time for security-critical bugs.

      • Atemu@lemmy.ml
        link
        fedilink
        arrow-up
        12
        ·
        10 months ago

        They did follow that. You can read their disclosure timeline in their report.

        Problem is that the devs of glibc aren’t the only people interested in getting glibc patched but us distro maintainers too.

        What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.

        Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That’s how the Linux kernel does it AFAIK and it’s the most reasonable approach I’ve seen.

      • Atemu@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        2
        ·
        10 months ago

        I’m afraid I don’t understand what you’re trying to say.

        • Lightdm@feddit.de
          link
          fedilink
          arrow-up
          4
          ·
          10 months ago

          I am not sure as well, but maybe they meant “maybe an early and public disclosure increases the urgency of the fix for the developers”?

          • Devorlon@lemmy.zip
            link
            fedilink
            English
            arrow-up
            10
            ·
            10 months ago

            There have been cases [1] where vulnerabilities in software have been found, and the researcher that found it will contact the relevant party and nothing comes of it.

            What they’re suggesting is that the researcher who discovered this might have already disclosed this in private, but felt that it wasn’t being patched fast enough, so they went public.

            • IAm_A_Complete_Idiot@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              ·
              10 months ago

              The solution here generally afaik is to give a specific deadline before you go public. It forces the other party to either patch it, or see the problem happen when they go live. 90 days is the standard timeframe for that since it’s enough time to patch and rollout, but still puts pressure on making it happen.