Security Policies
Andreas Pour
kde-policies@mail.kde.org
Tue, 12 Nov 2002 06:02:52 -0600
Hi,
In light of the two security advisories issued today, it became apparent that we
lack a written policy on when security advisories are issued, on their timing,
and what is included.
The issue in this case concerned whether the advisory should note that release
candidates are affected.
There are of course various ways to handle this, and probably different people
do it in different ways. Before we reach a policy on this, I would like to
canvas what others - such as the distros, Debian, NetBSD, etc.
My view, which was not shared by others, is that once an advisory is issued, it
should note the time in which the problem was fixed in CVS. Thus, the recent
advisories noted not only that 3.0.4 was vulnerable, but that 3.0.5rc3 was as
well; ideally it would have included the CVS fix date as well (such as was done
in this NetBSD advisory: http://online.securityfocus.com/advisories/4588 .
Others (well, almost everyone else) thought we should never address test
releases and CVS.
In my view, to omit mentioning a test release when an advisory is issued is
misleading - not everyone may know (and I sure didn't) that subsequent releases
are not mentioned b/c they are "beta" or "release candidates" rather than
because the problem was fixed in them. This issue would of course be clarified
if we had a written advisory policy and linked to it in our advisories, but it
still begs the question of what the best policy is.
So here is a matrix of what I think the choices are and what I think a
reasonable policy is (X) and what it appears others thing the policy should be
(O):
+--------------------+-----------+---------------+-----------------+
| | | | |
| | CVS | Test Releases | Stable Releases |
| | | | |
+--------------------+-----------+---------------+-----------------+
| | | | |
| Always announce | | X | X O |
| | | | |
+--------------------+-----------+---------------+-----------------+
| | | | |
| Announce only if | | | |
| announce is made | X | | |
| for other reasons | | | |
| | | | |
+--------------------+-----------+---------------+-----------------+
| | | | |
| Never announce | O | O | |
| | | | |
+--------------------+-----------+---------------+-----------------+
Ciao,
Dre