On mar., 2012-06-12 at 02:23 +0800, Aron Xu wrote: > On Tue, Jun 12, 2012 at 2:11 AM, Thomas Goirand <z...@debian.org> wrote: > > On 06/12/2012 01:52 AM, Aron Xu wrote: > >> IMHO I suggest to talk with Security Team before disclosing > >> information that might be sensitive in the mean time on a Debian > >> development mailing list. > >> > > Could you explain to me what exactly I'm disclosing? > > The news is already on slashdot and so on, and I think > > it'd be better to know, as hackers will. > > > > I'm not saying you are disclosing anything, but you are asking if > someone knows it's in what status publicly in a Debian development > mailing list. Then this may lead to some disclosing and even mislead > some other people. Yes there are many people doing tests just like > you, and they are reporting their results in many ways they prefer. > But as you are a DD you'd better not ignore our Security Team when > starting discussion publicly about a security incident your are not > sure whether it's relevant to Debian. People at Security Team are not > only responsible for fixing things when it breaks out, but also make > sure sensitive information is being disclosed in a correct form at a > correct time. In the end, I believe talking with them beforehand is > always a right way to do, no matter if Debian is affected by this > particular issue. > > > To be honest, I think -devel is a bad place for this just because it's more or less full of useless, hundred mails long threads, so for example I barely can follow it (and consider removing my subscription). So it'd be better on some less noisy, security related, debian list like debian-secur...@lists.debian.org.
Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
