[kde-announce] KDE Security Advisory: Konqueror Referer
Authentication Leak
Rob Kaper
cap at capsi.com
Tue Jul 29 15:46:29 CEST 2003
On Tue, Jul 29, 2003 at 11:38:08AM +0200, Dirk Mueller wrote:
> 07/03/2003 Notification of security at kde.org by George Staikos
> 07/10/2003 Fixed in KDE CVS.
> 07/11/2003 OS vendors / binary package providers alerted and
> provided with patches.
> 07/29/2003 Public Security Advisory by the KDE Security team.
Why does it take 18 days to release a security update?
"If an immediate fix is not considered necessary a security alert is issued
via dot.kde.org, bugtraq and kde-announce at kde.org"
As I do not recall a security alert on July 11th, I assume that an
"immediate fix" *was* indeed considered necessary. In what way is 18 days
even close to "immediate" ?
Why do KDE users and developers have to be vulnerable for an extended period
of time based on the responsiveness of packagers? What is the exact policy
for releasing security fixes? 50% of packages done? All packages done? SuSE
packages done?
http://www.kde.org/info/security/policy.php is not clear on this.
"We then give them a reasonable amount of time to prepare binary packages."
Who is the KDE Security Team to decide this "reasonable amount of time" and
why doesn't the entire KDE contributor base get a say in this?
In what way are we an open project when OS vendors / binary package
providers are given special treatment over users and contributors?
"Applications will be evaluated on a case by case basis by the current
members. The main criteria is the extent to which someone can be helpful in
excuting [sic] the security policy as described here. That includes a
willingness not to disclose issues prematurely."
How come the security policy has been locked down, as the "team" can only be
extended by those who want to execute the policy as described? In what way
does the KDE Security team justify the special privileges over the KDE
release process they have taken?
Please do not reply with the "black hat", "white hat", "Red Hat" arguments.
I am fully aware of it and - to a certain degree - can even follow the
logic, up to the point where it breaks:
Why should users of system A have an extended period of vulnerability
because system B has a slow packaging and distribution process? There is a
*reason* I run a vanilla Slackware with many compilations from source:
source tarballs are faster to fix than waiting for new packages. That is, in
a world were source tarballs don't depend on the availability of binary
packages.
Just answer one question: who decided that 18 days was "a reasonable time"
and under what authority?
Rob
--
Rob Kaper | "They that can give up essential liberty to obtain a little
cap at capsi.com | temporary safety deserve neither liberty nor safety."
www.capsi.com | - Benjamin Franklin, Historical Review of Pennsylvania, 1759
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/kde-policies/attachments/20030729/2a619808/attachment.bin
More information about the Kde-policies
mailing list