Debian és a Responsible Disclosure hiánya

Now, I'm more familiar with the KDE and Gentoo bug trackers, which explicitly ask you to not post security related information there, but to contact the projects directly (this would be in following responsible disclosure guidelines). Debian's bug tracker doesn't seem to say this

Ennek ellenére sem a bejelentő, sem a Debian nem vette fel a kapcsolatot az Amarokkal.
Ezután a Secunia egy advisory-t adott ki a programhoz, vélhetően a fenti bejegyzésre alapozva.
Az Amarok csapata a Google Alerten (!) tudta meg, hogy ez a gond fennál, persze csak miután a Google indexelte a Secunia oldalát.

Mi lett volna, ha a bejelentő esetleg a KDE vagy a Gentoo bug tracker szabályzatát nézi, és nem hozza nyilvánosságra a biztonsági hibát?

• Our users would have been protected from the threat 34 hours earlier (it took us five minutes to patch it, and another hour or two to get the tarball out).
• The information would have been made available to a wide audience via the Amarok users' mailing list and the packagers' mailing list 36 hours earlier, so that anyone worried about the threat would have been notified and could take action 36 hours earlier.
• The Secunia Advisory could have come out already supplied with the information necessary for people to fix the problem (upgrade to 1.4.10).

A hiba pedig?

I want to say up front that the security value of this vulnerability rates so low that it's amazing Secunia even bothered with it. It requires local access (or at least, a shell prompt), and it requires our code parsing a file whose name was hardcoded to execute the code (doesn't)/overflow a buffer (doesn't)/do things incorrectly (doesn't). At worst, you could maybe make Amarok crash, and since this would be a race condition, you'd have to be extremely lucky, and this could only happen between when the user was downloading the Magnatune database and when it was being parsed. Not exactly mission-critical. So, the actual threat of the vulnerability was approximately nil. That wasn't the driving factor behind the sudden release -- the driving factor was the fact that since Secunia did issue an advisory, we wanted to respond to it as soon as possible. Which should have been 36 hours before.

Tehát nem nagy. Az érdekes itt az a szokás, hogy a többi program biztonsági hibáját a Debian a nyilvános hibakövetőjén vezeti.
Remélem, egyedi eset volt, és nem arról van szó, hogy a többi nem kapott nagyobb "visszhangot".

A teljes írás elolvasható az Amarok Blogban.