Return-Path: X-Original-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-ooo-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1E57D7D08 for ; Thu, 28 Jul 2011 23:24:01 +0000 (UTC) Received: (qmail 39266 invoked by uid 500); 28 Jul 2011 23:24:00 -0000 Delivered-To: apmail-incubator-ooo-dev-archive@incubator.apache.org Received: (qmail 39192 invoked by uid 500); 28 Jul 2011 23:24:00 -0000 Mailing-List: contact ooo-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ooo-dev@incubator.apache.org Delivered-To: mailing list ooo-dev@incubator.apache.org Received: (qmail 39184 invoked by uid 99); 28 Jul 2011 23:24:00 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Jul 2011 23:24:00 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of apache@robweir.com designates 67.222.55.9 as permitted sender) Received: from [67.222.55.9] (HELO oproxy7-pub.bluehost.com) (67.222.55.9) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 28 Jul 2011 23:23:51 +0000 Received: (qmail 6695 invoked by uid 0); 28 Jul 2011 23:23:29 -0000 Received: from unknown (HELO host181.hostmonster.com) (74.220.207.181) by oproxy7.bluehost.com with SMTP; 28 Jul 2011 23:23:29 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=robweir.com; s=default; h=Content-Transfer-Encoding:Content-Type:To:From:Subject:Message-ID:Date:References:In-Reply-To:MIME-Version; bh=wSvGctz6oF5VQwyQAaBU3Mr+0iktYgGxVbEDtSU130A=; b=A+dW3iNJGMEhbawcJyYkx4BHCbSLVH1QMily97KoDtHMOV2VMi2jboaJSRLXXEtcid5D0gjjXQbuIF4xZDWuuHvTjjGXocKBCo5T9ZUX3G/6XBPdphsLzV+MLicxE/TN; Received: from mail-iy0-f175.google.com ([209.85.210.175]) by host181.hostmonster.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.76) (envelope-from ) id 1QmZvN-0003vZ-Au for ooo-dev@incubator.apache.org; Thu, 28 Jul 2011 17:23:29 -0600 Received: by iyj12 with SMTP id 12so3737965iyj.6 for ; Thu, 28 Jul 2011 16:23:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.97.70 with SMTP id m6mr427912icn.482.1311895408488; Thu, 28 Jul 2011 16:23:28 -0700 (PDT) Received: by 10.42.229.74 with HTTP; Thu, 28 Jul 2011 16:23:28 -0700 (PDT) In-Reply-To: References: <000f01cc4cc4$f5e29530$e1a7bf90$@apache.org> <00b201cc4d61$9a323590$ce96a0b0$@apache.org> <4E31D790.8050409@documentfoundation.org> <010501cc4d77$cb0e9800$612bc800$@acm.org> Date: Thu, 28 Jul 2011 19:23:28 -0400 Message-ID: Subject: Re: RE: Population of ooo-security From: Rob Weir To: ooo-dev@incubator.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Identified-User: {1114:host181.hostmonster.com:robweirh:robweir.com} {sentby:smtp auth 209.85.210.175 authed with apache@robweir.com} X-Virus-Checked: Checked by ClamAV on apache.org On Thu, Jul 28, 2011 at 6:59 PM, Wolf Halton wrote: > One of the things I think proprietary projects are wrong about is treatin= g > bugs, including security bugs, as secret private things. The best securit= y > solution we have is the number of eyes we allow to see the problems. I th= ink > emulating the paranoia is a mistake. Security-related bugs should go to t= he > bug squashing system all bugs go to. Triage and fixes can then follow, an= d > the more security-skilled coders can take it from there. > > Just my .02=C2=A2 > Two kinds of vulnerabilities: 1) Those that are newly discovered by this project itself, or by a responsible third party that has reported it to us. The vulnerability may be serious, but the threat is still latent because the bad guys don't know about it yet. But there is some urgency to fix the issue, because the bad guys will find out soon eventually. 2) Those vulnerabilities that come to our attention only after they are actively being used in an attack, the so called zero-day exploit. I think in case #2, there is no great reason to keep it a secret. The "cat is out of the bag" already. But in case #1, and that is the most common case, I think it is absolutely critical to keep the vulnerability from becoming public information until the project has published a patch. At that time there are standards for reporting the vulnerability so customers have a fair shot at hearing about the problem and patching their systems before the bad guys have time to deploy an exploit based on the vulnerability. Once the information is public, it is a race, between users/admins and the bad guys. Our job, in an open source project, is to do whatever we can to make sure the users/admins have a chance to win. I would agree with you that security related code should be public and discussed in public. That is one advantage that open source has. We can have many eyes review our code. But when you have a report of an exploitable vulnerability, that is something else. At that point a race has started. Will we patch the issue before someone exploits it? Or will the black hats win? -Rob