[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues
James Bottomley
James.Bottomley at HansenPartnership.com
Sat Sep 8 21:24:59 UTC 2018
On Sat, 2018-09-08 at 12:49 -0700, Linus Torvalds wrote:
> On Sat, Sep 8, 2018, 08:54 James Bottomley <
> James.Bottomley at hansenpartnership.com> wrote:
>
> >
> > OK, let me make it more specific: there exists no individual
> > contributing to open source in a leadership capacity for whom a
> > signable NDA cannot be crafted.
> >
>
> No.
>
> I don't sign NDA's. I just don't do it.
>
> It's that simple.
But that's you're choice; it's not because legally you can't.
> It's actually worked pretty well. It started because I worked for a
> direct competitor to Intel, and couldn't sign an NDA for the really
> old f0 0f lockup issue.
>
> Not having an NDA back then turned out to be a good thing, because it
> made it a non-issue when leaks happened. So I started the policy that
> I never want to be in the position that I had to worry legally about
> being in the position of being under an NDA and knowing things
> outside of the leaks.
>
> Instead, I've had a gentleman's agreement with companies - nothing
> legally binding, but over the years people have come to realize that
> the leaks don't come from me.
>
> So I don't do NDA's. Maybe some Linux Foundation NDA agreement
> technically covers me, but at least with the Intel cases, Intel is
> actually aware of my non-NDA situation and is fine with it.
I'm fine with all of this as an argument. If we believe that signing
NDAs would eventually lead to worse disasters because agreeing to them
now means corporations never change and never take our views into
account, then we should have the debate and make the decision for sound
policy reasons not because there's some spurious legal bar.
James
More information about the Ksummit-discuss
mailing list