(thenewstack.io)

1124 points CrankyBear | 1 comments | 11 Nov 25 18:32 UTC | HN request time: 0s | source

Show context

JamesBarney ◴[11 Nov 25 19:11 UTC] No.45891454[source]▶

I get the idea of publicly disclosing security issues to large well funded companies that need to be incentivized to fix them. But I think open source has a good argument that in terms of risk reward tradeoff, publicly disclosing these for small resource constrained open source project probably creates a lot more risk than reward.

replies(5): >>45891546 #>>45891615 #>>45892029 #>>45892122 #>>45898765 #

Msurrow ◴[11 Nov 25 19:17 UTC] No.45891546[source]▶

>>45891454 #

In addition to your point, it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days. The security issue should certainly be disclosed - when its responsible to do so.

Now, if Google or whoever really feels like fixing fast is so important, then they could very well contribute by submitting a patch along with their issue report.

Then everybody wins.

replies(3): >>45891625 #>>45891932 #>>45895660 #

danlitt ◴[11 Nov 25 19:22 UTC] No.45891625[source]▶

>>45891546 #

> it seems obvious that disclosure policy for FOSS should be “when patch available” and not static X days

This is very far from obvious. If google doesn't feel like prioritising a critical issue, it remains irresponsible not to warn other users of the same library.

replies(3): >>45891667 #>>45891696 #>>45892044 #

1. afiori ◴[11 Nov 25 19:59 UTC] No.45892044[source]▶

>>45891625 #

Unless the maintainers are incompetent or uncooperative this does not feel like a good strategy. It is a good strategy on Google's side because it is easier for them to manage

↑

FFmpeg to Google: Fund us or stop sending bugs