[bind10-dev] Exposing security issues via Git/Subversion, was Subversion to Git conversion
Michal 'vorner' Vaner
michal.vaner at nic.cz
Wed Oct 20 11:53:20 UTC 2010
Hello
On Wed, Oct 20, 2010 at 12:58:39PM +0200, Shane Kerr wrote:
> > I'm not sure if I understand this...if we completely stop pushing (or
> > pulling, which doesn't matter in this context) for all branches,
> > doesn't the fact it stops leak the information of "there's some
> > security related work behind the scene (so this is a good time to find
> > security vulnerability in the release versions)"? In fact, that was
> > my original question.
>
> Ah, right.
>
> So basically we have 2 options:
>
> 1. Push with a filter to stop security-related work from being published
> Advantages: Other work remains public, bad guys don't know anything
> Disadvantages: We might make a mistake
The filters should work automatically (like was said, no security/* branch ever
goes public, only when it is merged to trunk). Then the chance of mistake is
low. I would guess even lower than accidentally forgetting to turn off the
pushing.
> 2. Push and turn off completely if security-related work is going on
> Advantages: Reduced chance of accidental leakage of specific work
> Disadvantages: Bad guys know 'something' is going on
And it looks like excluding the public, the cathedral/market thing. Not allowing
public really looks cathedralish.
But I'm not even from ISC, not a marketting person (which is more what is this
issue, than technical one).
Have a nice day
--
Have you ever been told you are an airplane?
Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20101020/8d2b43e1/attachment.bin>
More information about the bind10-dev
mailing list