• clever_banana@lemmy.today
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    10 months ago

    Public disclosure is typically done 90 days after Deva are privately notified. That should be enough time for security-critical bugs.

    • Atemu
      link
      fedilink
      arrow-up
      12
      ·
      10 months ago

      They did follow that. You can read their disclosure timeline in their report.

      Problem is that the devs of glibc aren’t the only people interested in getting glibc patched but us distro maintainers too.

      What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.

      Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That’s how the Linux kernel does it AFAIK and it’s the most reasonable approach I’ve seen.