I see https://bugs.chromium.org/p/project-zero/issues/detail?id=1633 … was finally published today despite public commits existing for weeks. Thanks to @tehjh and Google's Project Zero for enabling Linus' silent fix commit messages to ensure only our customers get fixes promptly :)
-
Show this thread
-
@benhawkes Something to think about -- Google's criticism of Microsoft's policies has been very public, and P0 has historically pushed for large changes there. I don't see anything like that happening with Linux where Google is one of the main players in upstream Linux security3 replies 2 retweets 1 likeShow this thread -
Replying to @grsecurity
Yeah, definitely something to think about. You're right that we haven't made an explicit endorsement or critique of silent commits by Linux upstream, what you're seeing here is essentially a default process that we apply across a bunch of different projects/vendors.
1 reply 0 retweets 0 likes -
Replying to @benhawkes @grsecurity
There are some options here that we can explore. Am I right in saying that your preference would be for Project Zero to derestrict as soon as we see an upstream commit? IIRC, the distros are the ones that argue against this, saying they want some time to package their fixes?
1 reply 0 retweets 0 likes -
Replying to @benhawkes
Yeah, in fact that's how I thought the process was supposed to work as I think I remember that happening in the past, but it could be that it just varies from person to person.
2 replies 0 retweets 0 likes
Yeah, post-fix disclosure (time between a fix and derestricting our bug) isn't a parameter we have a strict policy on, at least not yet, so you will see a bit more variation there. I'm not sure there's much to read in to it yet, other than it's a potential tool for the future.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.