[sldev] Security Update 2008-10-06 to SL Viewers and source code-CLARIFICATION

[Soft]

On Wed, Oct 8, 2008 at 6:28 AM, Anders Arnholm <Anders at arnholm.se> wrote:
>
> In this case I have to object, the details on how to write the exploit was
> in the release note.

Yes. That was not intentional. A well-intended dev edited the release
notes, which should only be maintained by a member of the release
team. That shouldn't repeat.


> The problem in this
> case then comes with GPL, we who got the patch had to wait with releasing
> the bug fix for not violating the GPL.

And that still needs to be discussed. If early limited source
disclosure becomes policy, we need to either live with having everyone
wait, or we need to find a way to allow people to release the binary
early while still complying with the licenses we offer.


> But over all the fix as clear as possible as early as possible is a good
> thing there is nothing good in security by obsurity.

As repeated, that philosophy is about fortifying technology instead of
leaving holes merely because they're difficult to see. It's never been
a prescription for a project telling the world every way that it can
be hurt before taking any steps to protect itself.